Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company uses AWS Organizations to manage a small number of AWS accounts.However, the company plans to add 1,000 more accounts soon.The company allows only a centralized security team to create IAM roles for all AWS accounts and teams.Application teams submit requests for IAM roles to the security team.The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.The security team must create a process that will allow application teams to provision their own IAM roles.The process must also limit the scope of IAM roles and prevent privilege escalation.

Which solution will meet these requirements with the LEAST operational overhead?

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM roles for each team. Conduct a quarterly review of the IAM roles the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions in the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Explanations:

Creating IAM groups and provisioning IAM users for each application team does not meet the requirement of delegating IAM role provisioning while limiting scope and preventing privilege escalation. IAM users require direct permissions, and managing a large number of users could become cumbersome and prone to errors.

Delegating IAM role provisioning to application team leads with periodic reviews creates a manual process that is prone to human error and does not provide an automated solution to limit scope or prevent privilege escalation. This also adds operational overhead in the form of ongoing reviews.

Using Service Control Policies (SCPs) to restrict AWS service access in individual accounts can help limit scope but does not directly address the delegation of IAM role creation or privilege escalation within the accounts. It’s more focused on service access rather than managing IAM roles.

Using an SCP and a permissions boundary is the best solution because it ensures that only IAM roles with a predefined permissions boundary can be created. This limits the scope of the roles and prevents privilege escalation, while the SCP ensures that the security team’s policies are consistently applied across all accounts. This solution meets the requirements with the least operational overhead.

2026-03-25

2 Comments

  1. Larry
    Author

    As I recall, the answer is:
    Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

  2. Dennis
    Author

    I assess that the answer is:
    Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Leave a Reply to Dennis Cancel reply

Your email address will not be published. Required fields are marked *

5 × 2 =