Learn how to manage multiple AWS accounts using AWS Organizations and IAM roles. Grant read-only access to the security team by creating IAM roles in member accounts and establishing trust relationships. Ensure centralized control and visibility across accounts for enhanced security.
Table of Contents
Question
A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team.
How should a solutions architect meet these requirements?
A. Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member account. Establish a trust relationship between the IAM policy in each member account and the security account. Ask the security team to use the IAM policy to gain access.
B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
C. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the management account from the security account. Use the generated temporary credentials to gain access.
D. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the member account from the security account. Use the generated temporary credentials to gain access.
Answer
B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
Explanation
To meet the requirements of granting read-only access to the security team for all member accounts from their own AWS account, the solutions architect should choose option B: Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
Here’s why this option is the correct choice:
- OrganizationAccountAccessRole IAM role: AWS Organizations provides the OrganizationAccountAccessRole IAM role, which is automatically created in each member account. This role allows for centralized management and control of the member accounts.
- Create a new IAM role in each member account: The solutions architect should create a new IAM role with read-only access in each member account. This IAM role will grant the security team the necessary permissions to access the member accounts.
- Establish a trust relationship: A trust relationship should be established between the newly created IAM role in each member account and the security account. This trust relationship allows the security team’s AWS account to assume the IAM role in the member accounts.
- Security team uses the IAM role for access: The security team can then use the IAM role to gain read-only access to the member accounts. This ensures that they have the necessary visibility and control without requiring direct access to each individual account.
By using the OrganizationAccountAccessRole IAM role, creating a new IAM role with read-only access in each member account, establishing a trust relationship, and having the security team use the IAM role for access, you can meet the requirements of providing read-only access to the security team for all member accounts from their own AWS account.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.