🔥 3-day streak
AWS Certified Solutions Architect - Professional82 / 186
Question 82 of 186

A financial services company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML identity provider to grant developers access across 40 accounts in AWS Organizations. Each developer receives a permission set that grants broad access to build resources, including full IAM privileges within their assigned workload accounts. A security audit discovers that developers can create new IAM roles and attach the AdministratorAccess policy, effectively escalating their own privileges beyond what the permission set intended. The security team wants to cap the maximum permissions any IAM entity created by developers can ever have, without removing developers' ability to create roles for their applications. Which approach best addresses this requirement?

Reviewed for accuracy · Report an issueNext question