Question

A DevOps engineer at an IT company was recently added to the admin group of the company’s AWS account. The Administratoraccess managed policy is attached to this group. Can you identify the AWS tasks that the DevOps engineer CANNOT perform even though he has full Administrator privileges (Select two)?

A. Delete an S3 bucket from the production environment.
B. Configure an Amazon S3 bucket to enable MFA (Multi FactorAuthentication) delete.
C. Delete the IAM user for his manager.
D. Change the password for his own IAM user account.
E. Close the company’s AWS account.

Answer 1

A DevOps engineer with AdministratorAccess cannot delete the IAM user for their manager if there are protective measures in place, such as MFA and approval policies, and they cannot close the company's AWS account as only the root account user has that privilege.

Step-by-step explanation:

The question pertains to the privileges associated with the AdministratorAccess managed policy in an AWS account. When an IAM user is part of a group with AdministratorAccess, they have extensive permissions across AWS services. However, there are certain tasks they cannot perform even with these elevated privileges.

Here are two tasks that a DevOps engineer with AdministratorAccess cannot perform:

• C. Delete the IAM user for his manager - A DevOps engineer can potentially delete other IAM users, but if the IAM user for the engineer's manager has MFA enabled and a policy that prevents their deletion without confirmation (like requiring additional approval), they might be restricted from doing this.
• E. Close the company's AWS account - Only the root account user has the privilege to close an AWS account. An IAM user with AdministratorAccess cannot perform this action regardless of their full administrative permissions.

Therefore, the tasks that the DevOps engineer cannot perform are related to specific limitations on IAM user deletion depending on internal policies and AWS account-level operations that are exclusive to the root account user.