Question #1770
A solutions architect is designing an AWS Identity and Access Management (IAM) authorization model for a company's AWS account. The company has designated five employees to have full access to AWS services and resources, except they must not be allowed to manage IAM users or groups. The solutions architect has created an IAM user for each employee and an IAM user group.
Which solution will meet these requirements?
Attach the PowerUserAccess resource-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
Attach the AdministratorAccess identity-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
Attach the PowerUserAccess identity-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
Attach the IAMReadOnlyAccess resource-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
Explanation
The PowerUserAccess identity-based policy (Option C) allows full access to AWS services and resources but explicitly denies permissions to manage IAM users, groups, and policies. This matches the requirement of granting full access while restricting IAM management.
- Option A is incorrect because PowerUserAccess is an identity-based policy, not a resource-based policy. Resource-based policies are attached to AWS resources (e.g., S3 buckets), not IAM groups.
- Option B is incorrect because AdministratorAccess grants full permissions, including IAM management, which violates the requirement.
- Option D is incorrect because IAMReadOnlyAccess only allows read access to IAM and does not grant full access to other AWS services.
Key Points:
1. Use identity-based policies for IAM users/groups.
2. PowerUserAccess provides full AWS access except IAM management.
3. AdministratorAccess includes IAM management permissions.
Answer
The correct answer is: C