Question #914
A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to grant developers permissions to manage resources in their AWS accounts. All development units deploy their production workloads into a shared production account. Recently, an incident occurred where members of one development unit modified an RDS database instance that belonged to another development unit. A solutions architect must design a solution to prevent such incidents in the future while still allowing developers to manage their own RDS instances. Which strategy meets these requirements?
Create separate organizational units (OUs) in AWS Organizations for each development unit. Assign the OUs to the company's AWS accounts. Create SCPs with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag matching the development unit name. Assign the SCPs to the corresponding OUs.
Pass a DevelopmentUnit attribute as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developers' assumed IAM role with a deny action and a StringNotEquals condition comparing the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit.
Pass a DevelopmentUnit attribute as an AWS STS session tag during SAML federation. Create an SCP with an allow action and a StringEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
Create separate IAM policies for each development unit. In each policy, include an allow action with a StringEquals condition for the DevelopmentUnit resource tag and the development unit name. During SAML federation, use AWS STS to assign the IAM policy matching the development unit name to the assumed IAM role.
Explanation
Option B is correct because it dynamically assigns a DevelopmentUnit session tag during SAML federation, which is then used in IAM policies to deny actions unless the RDS resource's tag matches the developer's principal tag. This approach enforces resource isolation within the shared account while allowing developers to manage their own resources.
Other options are incorrect because:
- A: SCPs apply to entire OUs/accounts and cannot differentiate between resources within a shared account using resource tags tied to OUs.
- C: SCPs cannot reference principal tags (e.g., aws:PrincipalTag) and are not designed for granular resource-level access control.
- D: Using allow actions with static IAM policies may not prevent cross-unit access if resource tagging is inconsistent, whereas a deny policy (B) explicitly blocks unauthorized modifications.
Key Points:
1. Use STS session tags to pass user attributes (e.g., DevelopmentUnit) during federation.
2. Apply IAM policy conditions (StringNotEquals) to compare resource tags and principal tags.
3. Deny policies are more effective for preventing unintended access than allow-only policies.
Answer
The correct answer is: B