A company wants to implement a least-privilege permission model across all AWS accounts. The security team needs to ensure that no IAM user has full administrator access. However, the operations team occasionally needs emergency access. Which solution meets these requirements?
IAM Identity Center allows time-limited, auditable access elevation.
Why this answer
AWS IAM Identity Center (formerly AWS SSO) allows you to define permission sets that grant temporary, scoped access to AWS accounts. By requiring approval for emergency access, you enforce a least-privilege model while still providing a controlled break-glass mechanism. This avoids permanent admin rights and ensures all elevated access is auditable and time-limited.
Exam trap
The trap here is that candidates often confuse a static IAM role with a break-glass process (Option D) as sufficient for least privilege, but they overlook that without temporary credentials and approval workflows, the role grants persistent full admin access to anyone who can assume it, violating the least-privilege principle.
How to eliminate wrong answers
Option B is wrong because an SCP that denies all IAM actions except from a specific admin account would block the operations team from assuming any role or performing IAM operations, including the emergency access they need, and does not provide a temporary elevation mechanism. Option C is wrong because an IAM password policy requiring MFA only controls password-based authentication for IAM users; it does not prevent a user from having full administrator access or provide a way to grant temporary elevated permissions. Option D is wrong because creating an IAM role with full administrator access in each account and using a break-glass process to assume it does not enforce least privilege—it grants permanent full admin access to anyone who can assume the role, and the 'break-glass' process is not inherently controlled or audited without additional mechanisms like approval workflows.