Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company manages AWS accounts in AWS Organizations.AWS IAM Identity Center (AWS Single Sign-On) and AWS Control Tower are configured for the accounts.The company wants to manage multiple user permissions across all the accounts.The permissions will be used by multiple IAM users and must be split between the developer and administrator teams.Each team requires different permissions.The company wants a solution that includes new users that are hired on both teams.

Which solution will meet these requirements with the LEAST operational overhead?

Create individual users in IAM Identity Center for each account. Create separate developer and administrator groups in IAM Identity Center. Assign the users to the appropriate groups. Create a custom IAM policy for each group to set fine-grained permissions.

Create individual users in IAM Identity Center for each account. Create separate developer and administrator groups in IAM Identity Center. Assign the users to the appropriate groups. Attach AWS managed IAM policies to each user as needed for fine-grained permissions.

Create individual users in IAM Identity Center. Create new developer and administrator groups in IAM Identity Center. Create new permission sets that include the appropriate IAM policies for each group. Assign the new groups to the appropriate accounts. Assign the new permission sets to the new groups. When new users are hired, add them to the appropriate group.

Create individual users in IAM Identity Center. Create new permission sets that include the appropriate IAM policies for each user. Assign the users to the appropriate accounts. Grant additional IAM permissions to the users from within specific accounts. When new users are hired, add them to IAM Identity Center and assign them to the accounts.

Explanations:

This option involves creating individual users for each account, which leads to higher operational overhead as it requires managing user accounts across multiple accounts. Creating custom IAM policies for each group can also complicate management, especially with changes in team structure or policies.

While using AWS managed IAM policies can reduce complexity compared to custom policies, creating individual users in each account still results in significant overhead. Furthermore, managing permissions at the user level rather than at the group level is less efficient and does not leverage the benefits of IAM Identity Center.

This option effectively utilizes IAM Identity Center’s features by creating permission sets for developer and administrator groups. This setup allows for centralized management of permissions and simplifies the onboarding of new users, as they can simply be added to the appropriate group without additional configuration needed for each account.

Although this option allows for assigning individual permission sets to users, it introduces operational overhead by requiring individual user management and additional permissions in specific accounts. It lacks the efficiency of group management offered by IAM Identity Center and complicates onboarding for new users.

2025-10-04

1 Comment

  1. Danielle
    Author

    I suspect that the answer is:
    Create individual users in IAM Identity Center. Create new developer and administrator groups in IAM Identity Center. Create new permission sets that include the appropriate IAM policies for each group. Assign the new groups to the appropriate accounts. Assign the new permission sets to the new groups. When new users are hired, add them to the appropriate group.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 1 =