A company wants to grant the same set of permissions to 50 developers at once and manage member additions, removals, and permission changes efficiently. Which IAM approach is MOST suitable?
A question about selecting the MOST efficient IAM method for granting the same permissions to multiple users.
Manually attach an individual policy to each of the 50 users one at a time.
Attaching policies individually means every permission change requires modifying all 50 users, which leads to mistakes and omissions.
This does not meet the requirement of efficient management, so it is incorrect.
Create a shared managed policy and attach it directly to each of the 50 users.
Using a shared managed policy can grant the same permissions to everyone, but each addition or removal still requires attaching or detaching the policy for each individual user. When multiple policies are involved, the number of operations grows to number of users × number of policies. There is also no unit for managing who the developers are and which policies are attached, making it easy to miss grants or removals. With an IAM group, permissions are applied or removed simply by changing group membership, and the member list is visible at a glance—so this approach is less efficient than using an IAM group, making it incorrect.
Create an IAM group, attach the permissions to the group, and add the users to the group.
Correct. By attaching permissions (policies) to an IAM group and adding developer IAM users to that group, the same permissions are applied to all members. A permission change only requires updating the group policy once and it is reflected for everyone, and adding or removing members is simply a matter of joining or leaving the group.
Create a shared IAM role that all users can assume and attach the permissions to it.
An IAM role is a mechanism for temporarily assuming (switching to) permissions, and is well-suited for granting permissions to services or for cross-account access.
For day-to-day membership and permission set management for 50 people, an IAM group is the appropriate choice. Requiring everyone to switch to a role every time is a roundabout approach to the requirement, so it is incorrect.
'Multiple users with the same permissions' and 'efficient management' = IAM Group. Changing the group policy is reflected for all members. Individual attachment creates per-user work, and roles are primarily for temporary permission assumption.