Question 302 of 1,040
Design Secure ArchitecturesmediumMultiple SelectObjective-mapped

Quick Answer

The answer is to use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified, combined with attaching that permissions boundary to every new role. This works because a permissions boundary acts as an IAM feature that enforces a permission ceiling, capping the maximum permissions any role can have regardless of attached policies, while the SCP ensures teams cannot bypass or remove that boundary later. On the SAA-C03 exam, this scenario tests your understanding of how SCPs and permissions boundaries work together to delegate authority safely—a common trap is thinking a single policy alone suffices, but the SCP is needed to lock the boundary in place. Remember the mnemonic: “SCP locks the door, boundary sets the floor.”

SAA-C03 Design Secure Architectures Practice Question

This SAA-C03 practice question tests your understanding of design secure architectures. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An organization lets application teams create IAM roles in member accounts. Security wants every newly created role to stay within an approved permission ceiling, and teams must not be able to remove that ceiling later. Which two controls best meet the requirement? Select two.

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1mediummulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Attach the approved permissions boundary to every role created by the teams.

Option A is correct because a permissions boundary is an IAM feature that sets the maximum permissions a role can have. By attaching an approved permissions boundary to every newly created role, the organization enforces a permission ceiling that cannot be exceeded, even if the role has additional policies attached. This directly meets the requirement of keeping roles within an approved ceiling.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Attach the approved permissions boundary to every role created by the teams.

    Why this is correct

    A permissions boundary caps the maximum permissions a role can ever receive, even if the role's inline or managed policies are broader. It is the right mechanism for defining a permission ceiling.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified.

    Why this is correct

    An SCP can enforce governance at the account or OU level by blocking role creation or boundary changes unless the approved boundary is used. This prevents teams from bypassing or removing the required boundary.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use an S3 bucket policy to prevent the roles from gaining extra privileges.

    Why it's wrong here

    S3 bucket policies control access to S3 resources only. They do not control the permissions granted to IAM roles across the account.

  • Rely on a role trust policy to limit the permissions the role can have.

    Why it's wrong here

    Trust policies determine who can assume a role, not what the role can do after assumption. They cannot enforce an account-wide permission ceiling.

  • Use a session policy attached to one assumed-role session to enforce the ceiling permanently.

    Why it's wrong here

    Session policies are temporary and apply only to a single STS session. They do not provide a permanent control over future role creation or role updates.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may think a session policy or trust policy can permanently restrict permissions, but session policies are temporary and trust policies only control who can assume the role, not the role's maximum permissions.

Detailed technical explanation

How to think about this question

Permissions boundaries are implemented as a separate IAM entity (policy) that defines the maximum permissions for a role or user. When a permissions boundary is attached, the effective permissions are the intersection of the boundary and the identity-based policies, ensuring the role cannot exceed the boundary even if additional policies are attached. In AWS Organizations, SCPs can also enforce permissions boundaries by denying role creation unless a specific boundary ARN is specified, providing a preventive control at the account level.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design Secure Architectures — This question tests Design Secure Architectures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Attach the approved permissions boundary to every role created by the teams. — Option A is correct because a permissions boundary is an IAM feature that sets the maximum permissions a role can have. By attaching an approved permissions boundary to every newly created role, the organization enforces a permission ceiling that cannot be exceeded, even if the role has additional policies attached. This directly meets the requirement of keeping roles within an approved ceiling.

What should I do if I get this SAA-C03 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on SAA-C03

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Based on the exhibit, an automation pipeline in several member accounts creates IAM roles for application deployments. Security says no future role may exceed the approved boundary arn:aws:iam::123456789012:policy/DeployBoundary, even if someone later attaches AdministratorAccess. What should you implement to enforce this across the organization?

hard
  • A.Attach DeployBoundary to the automation role only, because that automatically forces every created role to inherit the same boundary.
  • B.Create an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless aws:RequestTag equals DeployBoundary.
  • C.Create an SCP that denies iam:CreateRole unless iam:PermissionsBoundary equals arn:aws:iam::123456789012:policy/DeployBoundary, and also deny removing that boundary from created roles.
  • D.Use AWS Access Analyzer to automatically attach the approved boundary whenever a role is created without one.

Why C: Option C is correct because it uses an SCP to enforce that any IAM role creation must include the specific permissions boundary `arn:aws:iam::123456789012:policy/DeployBoundary`, and also prevents removal or modification of that boundary from existing roles. This ensures that even if an attacker or administrator later attaches a policy like AdministratorAccess, the effective permissions are still limited by the boundary, meeting the security requirement across all member accounts in the organization.

Variation 2. Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

hard
  • A.Add a permission boundary to the developer role that points to ApprovedAppBoundary.
  • B.Add an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless the request specifies the ApprovedAppBoundary ARN.
  • C.Use an S3 bucket policy to block policy documents that grant AdministratorAccess.
  • D.Require team members to use STS session policies when they create new roles.

Why B: Option B is correct because a Service Control Policy (SCP) at the organization root or in the member account's OU can deny IAM actions unless the required permissions boundary (ApprovedAppBoundary) is specified. This prevents any role creation or modification that would bypass the boundary, even if the developer has full IAM permissions in their account. SCPs are the only control that can enforce this across all principals in an account, including the account root user.

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.