You are a security admin for Organizational Unit named “DataAnalyticsTeam”.You wish to streamline some of the security processes and delegate some security tasks to the development team. 
To this end, you wish to enable the development team to create roles and policies that can be attached to the various AWS services they are using. However, the services that they create should be able to access S3 buckets restricted to only the “us-west-1” region. 
The development team members have the “DeveloperRole” IAM Role assigned to them. What combination of steps below will accomplish this task (Select THREE)? 

Answer options:

A.Create “S3Actions” SCP Policy:
---
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3RestrictionsPolicy",
"Effect": "Deny",
"Action": "S3:GetObject",
"Resource": "*",
"Condition": {
"StringNotEquals": {
 "aws:RequestedRegion": "us-west-1"
 }
}
}
]
}
---
B.---
Create “S3Actions” IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3RestrictionsPolicy",
"Effect": "Allow",
"Action": " S3:GetObject ",
"Resource": " *",
"Condition": {
"StringEquals": {
 "aws:RequestedRegion": "us-west-1"
 }
}
}
]
}
---
C.---
Create “CreateRoles” IAM Policy:
{
"Sid": "CreateRoles",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::ACCOUNT_ID:role/*"
],
"Condition": {"StringEquals":
{"iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/S3Actions"}
}
}
---
D.Execute AWS CLI command:
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/CreateRoles --role-name DeveloperRole
E.Execute the AWS CLI command:
AWS organizations attach-policy --policy-id S3Actions --target-id DataAnalyticsTeam

Answer: B, C, and D
Option A is incorrect because using OU and SCP in this scenario will limit access to the entire OU, not just the development team.
Option B is CORRECT because the correct solution is to use permission boundaries.
Option C is CORRECT because the appropriate solution is to use permission boundaries.
Option D is CORRECT because the appropriate solution is to use permission boundaries and create the IAM policy which is later attached to the DeveloperRole.
Option E is incorrect because using OU and SCP in this scenario will limit access to the entire OU, not just the development team.
The correct solution in this scenario is to use permission boundaries:
Create an IAM policy to allow access to S3 buckets in the desired region (Option B).
Create an IAM policy that will allow the creation of roles with a permission boundary (Option C).This will enable developers to create new roles/policies that have restrictions.
Attach IAM policy to the developer`s team role (Option D).
The use of SCP and OU is not applicable in this scenario because limiting access to a specific region via SCP will also affect other members of the OU and not just the development team.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
https://awssecworkshops.com/builder-sessions/permission-boundary/build/