Question #935
A corporation employs staff who frequently transition between departments requiring distinct access levels. The corporation wants to ensure that permissions are automatically adjusted according to the current department without manual intervention. Which IAM resource minimizes administrative effort in this scenario?
IAM user groups
IAM roles
IAM instance profiles
IAM policies attached directly to users
Explanation
IAM roles are the correct answer because they enable temporary, department-specific permissions through role assumption. When employees switch departments, they can assume a role pre-configured with the required permissions, eliminating the need to manually update group memberships or user policies.
- Why other options are incorrect:
- A (IAM user groups): Requires manual user movement between groups when departments change.
- C (IAM instance profiles): Used for EC2 instances, not user access management.
- D (IAM policies attached directly to users): Requires manual policy updates for each department change.
Key Points:
- Roles provide dynamic, temporary credentials.
- Roles reduce administrative overhead by centralizing permissions per department.
- Manual methods (groups, direct policies) are error-prone and time-consuming for frequent changes.
Answer
The correct answer is: B