🔥 3-day streak
AWS Certified Security - Specialty118 / 157
Question 118 of 157
A security team manages a 40-account AWS Organization. They want to guarantee that developers in workload accounts cannot create IAM users with long-lived access keys, but must still allow the organization's central identity provisioning role (arn:aws:iam::*:role/OrgIdentityProvisioner) to create service accounts when absolutely required. The solution must apply organization-wide and be enforced regardless of any permissions granted by account administrators. Which approach best meets these requirements?
Reviewed for accuracy · Report an issueNext question