🔥 3-day streak
AWS Certified SysOps Administrator - Associate123 / 150
Question 123 of 150

A SysOps administrator manages a multi-account AWS Organization. The security team requires that developers in a member account can create IAM roles for their applications, but those created roles must never be able to modify billing, leave the organization, or access CloudTrail settings. Additionally, the developers themselves must never be able to grant more permissions than a defined maximum, even when creating new roles. Which combination of controls correctly enforces these requirements?

Reviewed for accuracy · Report an issueNext question