AWS DevOps Engineer Professional DOP-C01 – Question513

A root owner is trying to create an IAM user of the various departments. The owner has created groups for each department, but wants to still delineate the user based on the sub division level. E.g. The two users from different sub departments should be identified separately and have separate permissions. How can the root owner configure this?

A.
Create a hierarchy of the IAM users which are separated based on the department
B. Create a nested group
C. Use the paths to separate the users of the same group
D. It is not possible to delineate within a group

Correct Answer: C

Explanation:

Explanation: The path functionality within an IAM group and user allows them to delineate by further levels.
In this case the user needs to use the path with each user or group so that the ARN of the user will look similar to:
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user1
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user2
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.h…