Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company hosts a security auditing application in an AWS account.The auditing application uses an IAM role to access other AWS accounts.All the accounts are in the same organization in AWS Organizations.A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application’s IAM role.The company needs to prevent any modification to the auditing application’s IAM role by any entity other than a trusted administrator IAM role.

Which solution will meet these requirements?

Create an SCP that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.

Create an SCP that includes an Allow statement for changes to the auditing application’s IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application’s IAM role in the AWS accounts.

Explanations:

An SCP with a Deny statement applied to the organization root can effectively restrict all entities except the trusted administrator IAM role from modifying the auditing application’s IAM role across all accounts.

SCPs do not support attachment to individual AWS services within accounts; they are applied at the organizational level or to specific accounts or OUs, not individual services within each account.

Permissions boundaries control actions an IAM role or user can perform but do not restrict other principals from modifying the auditing role itself. SCPs are necessary for this organization-wide restriction.

Permissions boundaries limit permissions within a role but do not prevent other accounts or users from modifying or deleting the role itself; only an SCP can enforce organization-wide restrictions on a specific role’s modification.

2025-10-12

1 Comment

  1. Maria
    Author

    I conclude that the answer is:
    Create an SCP that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 3 =