Which solution meets these requirements with the LEAST operational overhead?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company is building a cloud-based application on AWS that will handle sensitive customer data.The application uses Amazon RDS for the database, Amazon S3 for object storage, and S3 Event Notifications that invoke AWS Lambda for serverless processing.The company uses AWS IAM Identity Center to manage user credentials.The development, testing, and operations teams need secure access to Amazon RDS and Amazon S3 while ensuring the confidentiality of sensitive customer data.The solution must comply with the principle of least privilege.

Which solution meets these requirements with the LEAST operational overhead?

Use IAM roles with least privilege to grant all the teams access. Assign IAM roles to each team with customized IAM policies defining specific permission for Amazon RDS and S3 object access based on team responsibilities.

Enable IAM Identity Center with an Identity Center directory. Create and configure permission sets with granular access to Amazon RDS and Amazon S3. Assign all the teams to groups that have specific access with the permission sets.

Create individual IAM users for each member in all the teams with role-based permissions. Assign the IAM roles with predefined policies for RDS and S3 access to each user based on user needs. Implement IAM Access Analyzer for periodic credential evaluation.

Use AWS Organizations to create separate accounts for each team. Implement cross-account IAM roles with least privilege. Grant specific permission for RDS and S3 access based on team roles and responsibilities.

Explanations:

While using IAM roles with least privilege can grant access, it requires more operational overhead in terms of role management and policy definitions for each team, increasing complexity.

IAM Identity Center allows for centralized management of user access with minimal operational overhead. Permission sets provide granular access controls, simplifying access management for the teams while ensuring compliance with the principle of least privilege.

Creating individual IAM users for each team member increases operational overhead due to user management complexities. Additionally, it does not leverage the benefits of IAM Identity Center, which simplifies access and management.

Using separate accounts for each team adds significant complexity in terms of account management and cross-account role setups. This approach also increases operational overhead compared to using a centralized IAM Identity Center for user access.

2025-10-20

1 Comment

  1. Bradley
    Author

    I assess that the answer is:
    Enable IAM Identity Center with an Identity Center directory. Create and configure permission sets with granular access to Amazon RDS and Amazon S3. Assign all the teams to groups that have specific access with the permission sets.

Leave a Reply

Your email address will not be published. Required fields are marked *

eight + thirteen =