Which combination of steps will meet these requirements?

By:
In: DOP-C01
Tagged:
With: 1 Comment
An ecommerce company has chosen AWS to host its new platform.The company’s DevOps team has started building an AWS Control Tower landing zone.The DevOps team has set the identity store within AWS Single Sign-On (AWS SSO) to external identity provider (IdP) and has configured SAML 2 0.The DevOps team wants a robust permission model that applies the principle of least privilege.The model must allow the team to build and manage only the team’s own resources.

Which combination of steps will meet these requirements?

(Choose three.)

Create IAM policies that include the required permissions. Include the aws PrincipalTag condition key.

Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.

Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in AWS SSO.

Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.

Enable attributes for access control in AWS SSO. Apply tags to users. Map the tags as key-value pairs.

Enable attributes for access control in AWS SSO. Map attributes from the IdP as key-value pairs.

Explanations:

While creating IAM policies that include required permissions is essential, using theaws:PrincipalTagcondition key is not sufficient alone. It does not provide the necessary structure to limit permissions by user roles effectively, especially without the context of permission sets in AWS SSO.

Creating permission sets and attaching an inline policy with theaws:PrincipalTagcondition key allows for scoped permissions based on the user’s tags, thereby adhering to the principle of least privilege by allowing users to manage only their own resources.

Creating a group in the IdP and assigning users to it allows for centralized management of user permissions. Assigning the group to accounts and permission sets in AWS SSO ensures that only the appropriate users have access to the necessary resources in a controlled manner.

While creating a group in the IdP is a valid step, assigning the group to organizational units (OUs) and IAM policies does not align with the need for a least privilege model within AWS SSO, which relies on permission sets for access control rather than direct IAM policy assignments.

Enabling attributes for access control in AWS SSO and applying tags to users is useful, but it does not directly facilitate the permission model required for managing resources. Mapping attributes as key-value pairs is not enough to establish the permissions needed for the team’s operational model.

Enabling attributes for access control and mapping attributes from the IdP as key-value pairs allows for effective permission management based on user roles. This is essential in implementing a least privilege model, allowing access to resources based on user attributes.

2025-10-05

1 Comment

  1. Amy
    Author

    I design that the answer is:
    Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.

Leave a Reply to Amy Cancel reply

Your email address will not be published. Required fields are marked *

one + 18 =