A company has AWS accounts that are members of the same organization in AWS Organizations. According to the company’s security policy, IAM customer managed policies must be scoped to specific actions and must not include wildcard actions on wildcard resources. If an IAM customer managed policy is created or modified in any of the company’s AWS accounts to grant wildcard actions on resources that also specify wildcards, the policy must be detached from any IAM user, role, or group that the policy is attached to Individual AWS account administrators must not be able to prevent the removal of the policies. Which combination of steps will meet these requirements? (Choose two.)

Topic #: - All AWS DevOps Engineer Professional Questions

A. Configure automatic remediation to run the AWSConfigRemediation-DetachIAMPolicy AWS Systems Manager Automation runbook.
B. Configure automatic remediation to invoke a custom AWS Lambda function to detach the IAM policy from the affected resources.
C. Configure automatic remediation to use AWS Systems Manager Run Command to detach the IAM policy from the affected resources.
D. Turn on AWS Config by using an AWS CloudFormation stack set that is created in a central account. Configure automatic deployment for the stack set, and specify the organization as the target. Configure the iam-policy-no-statements-with-full-access AWS Config managed rule in the central account.
E. Turn on AWS Config for the organization. Create a new AWS account. Configure the account as a delegated administrator account for AWS Config. Configure the iam-policy-no-statements-with-full-access AWS Config managed rule in the delegated administrator account.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Reference Material:

Suggested Answer:

Reference Material:

Share this post

Join the Discussion