A leading bank has deployed servers using AWS OpsWorks Stacks for configuration management.
Financial applications are installed on these servers which are critical for this bank.
As per security guidelines, users from the operation team working on these servers should be only able to deploy instances in an AWS OpsWorks Stack but should not be able to clone stacks.
Which combination of steps should a Sysops administrator take to meet this requirement? (Select TWO)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: A and E.
For the AWS OpsWorks stack, the best practice to grant users permission is using AWS OpsWorks Stacks Permissions Management.
AWS OpsWorks Stacks Permissions Management has levels as below.
Deny - Deny permission to interact with the stack.
Show - Permission to view stack configuration.
Deploy - Permission to view stack configuration & deploy apps.
Manage - All permission as with Deploy level & additional permission of creating & deploying instance.
For granular permissions which cannot be granted using AWS OpsWorks Stacks User Permissions, IAM policies can be used.
For the requirement in the above case, permission to deploy instances can be granted using AWS OpsWorks Stacks Permissions Management, while denying permission from cloning stacks can be done using IAM policy.
Option B is incorrect as using AWS OpsWorks Stacks User Permissions, granular level permission to deny users from removing layers is not possible.
Option C is incorrect as AWS OpsWorks Stacks User Permissions should be Manage level & not a Deploy.
With Deploy permission level, deploying of instance is not permitted.
Option D is incorrect as per AWS recommendations, AWS OpsWorks Stacks user Permission should be used to grant users access for performing stack operations.
IAM policy should be only used for granular controls which are not part of AWS OpsWorks Stacks Permissions management.
For more information on Managing AWS OpsWorks Stacks User Permissions, refer to the following URLs,
https://docs.aws.amazon.com/opsworks/latest/userguide/opsworks-security-users.html https://docs.aws.amazon.com/opsworks/latest/userguide/best-practices-permissions.htmlTo meet the requirement that users from the operation team working on servers configured using AWS OpsWorks Stacks should be only able to deploy instances in a stack but should not be able to clone stacks, the SysOps administrator should take the following steps:
The Deploy permission level allows users to create and manage instances within a stack. It provides the ability to perform deployment-related activities such as starting and stopping instances, deploying applications, and scaling instances. By granting this permission, the users will be able to perform the required operations on the stack and deploy new instances.
The Deny permission is used to explicitly deny access to a specific resource or operation. By configuring AWS OpsWorks Stacks User Permissions to deny users from cloning stacks, the users will not be able to clone the stack, preventing them from making any unauthorized changes to the configuration.
Therefore, options C and B are the correct combinations of steps that a SysOps administrator should take to meet the requirement of allowing users to deploy instances in an AWS OpsWorks Stack but not clone stacks.
Option A: Configuring AWS OpsWorks Stacks User Permissions to grant users a Manage permission level to perform stack operations provides users with the ability to perform all operations on the stack, including creating new stacks and cloning existing stacks. This is not in line with the requirement stated in the question.
Option D: Configuring IAM policy to permit users to perform stack operations does not provide the granularity required to allow users to deploy instances but not clone stacks.
Option E: Configuring IAM policy to deny users from cloning stacks does not provide the granularity required to allow users to deploy instances in a stack. It would block users from performing all operations related to the stack, including deploying instances.