Question #2000
A company is developing a cloud-based application on AWS that processes confidential financial records. The application utilizes Amazon EC2 for compute resources, Amazon DynamoDB for database operations, and Amazon SQS for message queuing. The company employs AWS IAM Identity Center to centralize user authentication. The development, analytics, and security teams require secure access to EC2 instances and DynamoDB tables while adhering to the principle of least privilege and minimizing administrative effort. Which solution fulfills these requirements MOST effectively?
Create IAM roles with least-privilege policies for each team. Assign these roles to team members via IAM, with policies tailored to their EC2 and DynamoDB access requirements based on team functions.
Configure IAM Identity Center with an Identity Center directory. Establish permission sets specifying granular permissions for EC2 and DynamoDB. Assign all teams to groups associated with these permission sets to enforce access controls.
Provision individual IAM users for every team member across all teams. Attach IAM policies granting EC2 and DynamoDB permissions based on individual responsibilities. Use AWS IAM Access Analyzer to audit permissions regularly.
Leverage AWS Organizations to provision dedicated accounts for each team. Implement cross-account IAM roles with least-privilege policies, granting EC2 and DynamoDB access aligned with team roles.
Explanation
Option B is the best solution because:
1. IAM Identity Center Integration: The question specifies the use of IAM Identity Center for centralized authentication. Permission sets in Identity Center allow granular policy assignments aligned with team roles (e.g., development, analytics, security), ensuring least privilege.
2. Group-Based Access: Assigning teams to groups associated with permission sets reduces administrative overhead compared to managing individual users (as in Option C) or cross-account roles (Option D).
3. Least Privilege: Permission sets can be tailored to specific EC2 and DynamoDB actions required by each team, avoiding overly broad permissions.
Other options are less optimal:
- A: Managing IAM roles per user via IAM (not Identity Center) increases administrative effort.
- C: Individual IAM users require manual policy management, which scales poorly.
- D: Cross-account roles add complexity without necessity, as the question does not require multi-account isolation.
Key Points: Use IAM Identity Center permission sets and groups for centralized, least-privilege access in multi-team environments.
Answer
The correct answer is: B