Question #1406
A deployment engineer is responsible for managing AWS Elastic Beanstalk environments. A solutions architect needs to ensure the engineer follows the principle of least privilege. Which combination of actions should the solutions architect take? (Choose two.)
Have the deployment engineer use AWS account root user credentials for Elastic Beanstalk operations.
Create a new IAM user for the engineer and add the user to a group with the PowerUsers IAM policy attached.
Create a new IAM user for the engineer and add the user to a group with the AdministratorAccess IAM policy attached.
Create a new IAM user for the engineer and add the user to a group with an IAM policy that allows Elastic Beanstalk actions only.
Create an IAM role defining explicit permissions for Elastic Beanstalk and require the engineer to assume the role for deployments.
Explanation
The principle of least privilege requires granting only necessary permissions.
- D ensures the engineer's IAM policy allows only Elastic Beanstalk actions, avoiding broader access like PowerUsers (B) or AdministratorAccess (C).
- E uses an IAM role with explicit permissions, enabling temporary, task-specific access.
Why others are incorrect:
- A (root user) grants full account access, violating least privilege.
- B/C provide excessive permissions beyond Elastic Beanstalk.
Key Points:
1. Avoid root/user policies with broad access (A/B/C).
2. Use custom policies (D) or roles (E) to limit permissions to required actions.
Answer
The correct answer is: DE