AWS DevOps Engineer Professional Practice Test

What is an effective method for ensuring that only senior developers can push changes in a CodeCommit repository?

• A. Assign write access to the repository to all developers
• B. Attach an explicit DENY policy to the default group developers' IAM users
• C. Replace developers group with an Admin group
• D. Create a new repository for senior developers only

The correct answer is: Attach an explicit DENY policy to the default group developers' IAM users

An effective method to ensure that only senior developers can push changes in a CodeCommit repository is to attach an explicit DENY policy to the default group of developers' IAM users. By doing this, you create a rule that restricts access for all developers in that group, effectively preventing any non-senior developers from making changes to the repository. When a DENY policy is applied, it overrides any ALLOW policies, ensuring that the restrictions are enforced strictly. This method is particularly robust in managing permissions within AWS because it allows for fine-grained control over who can and cannot perform specific actions, like pushing code changes. By maintaining a clear boundary where only senior developers have the necessary permissions, it helps in safeguarding the codebase and encouraging best practices in development workflows. Creating a separate repository for senior developers might seem like a viable option, but it could lead to fragmentation and complicate workflows as both repositories would need to be maintained separately. Assigning write access to all developers would defeat the purpose of restricting access to only senior developers. Replacing the developers group with an Admin group is not recommended either, as it would grant excessive permissions to all members, negating the desired control over who can push changes.