🔥 3-day streak
AWS Certified Security - Specialty119 / 157
Question 119 of 157

A security engineer manages an AWS Organization with 200 accounts. Developers in member accounts have broad IAM permissions, including iam:CreateRole and iam:AttachRolePolicy. The security team wants to prevent any developer from creating or modifying roles that could grant themselves administrative access, while still allowing developers to create service roles for their applications. The team has defined that all developer-created roles MUST have a permissions boundary policy named 'DeveloperBoundary' attached. Which Service Control Policy (SCP) approach best enforces this requirement across all member accounts?

Reviewed for accuracy · Report an issueNext question