🔥 3-day streak
AWS Certified CloudOps Engineer - Associate99 / 159
Question 99 of 159

A company allows developers in each project team to create IAM roles for their own applications so they can move quickly. Security is concerned that a developer could create a role with full administrative access and attach it to an application. The security team wants developers to retain the ability to create roles and attach policies, but wants to guarantee that any role they create can never obtain permissions beyond a defined set (such as S3, DynamoDB, and CloudWatch access). What is the MOST appropriate way to enforce this constraint?

Reviewed for accuracy · Report an issueNext question