🔥 3-day streak
AWS Certified SysOps Administrator - Associate93 / 150
Question 93 of 150

A SysOps administrator must allow a team of application developers to create new IAM roles for their Lambda functions. Security policy requires that any role the developers create must never be able to grant permissions beyond a defined set of services (Lambda, DynamoDB, and CloudWatch Logs), even if the developer attaches broader policies. The developers should still be able to create and manage roles independently. What is the MOST effective way to enforce this constraint?

Reviewed for accuracy · Report an issueNext question