Understand how to configure cross-account access in AWS Organizations with IAM users and roles. Learn how to manage resources across multiple accounts effectively.
Table of Contents
Question
A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts.
Which solution will meet this requirement?
A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
C. Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.
Answer
D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.
Explanation
In AWS, you can grant an IAM user in one AWS account (the management account in this case) permissions to access resources in another account (the member accounts in this case) by creating a role for cross-account access. This role has two policies attached: a trust policy and a permissions policy. The trust policy allows the IAM user in the management account to assume the role. The permissions policy grants the user permission to perform actions on the resources in the member accounts.
In this scenario, the solutions architect can create an IAM user in the management account and cross-account roles in the member accounts. The roles should be configured with least privilege access, meaning they should only have the necessary permissions to stop or terminate resources. The IAM user can then be granted access to these roles using a trust policy. This setup allows the IAM user to switch between roles and perform actions in both member accounts, meeting the requirement.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.