Q45 — AWS DOP-C02 Ch.1
Question 45 of 100 | ← Chapter 1
A company uses AWS Organizations to manage accounts across its business units. Its development team has built an AWS Lambda function that calls the Organizations API to create new AWS accounts. The Lambda function currently runs in the organization’s management account. The DevOps team needs to move the Lambda function from the management account to a dedicated member account. The DevOps team wants to ensure that the Lambda function can create new AWS accounts in the organization only after it is deployed to the new account.
- A. In the management account, create a new IAM role with permissions required to create new accounts in Organizations. Allow the Lambda execution role in the new AWS account to assume this role. Update the Lambda function code to assume the role when creating new AWS accounts. Update the Lambda execution role to ensure it has permissions to assume the new role. ✓
- B. In the management account, configure delegated administration for Organizations. Create a new service control policy (SCP) granting the new AWS account permission to create new AWS accounts in Organizations. Ensure the Lambda execution role has organizations:CreateAccount permission.
- C. In the management account, create a new IAM role with permissions required to create new accounts in Organizations. Configure the trust policy to allow the Lambda service principal to assume the role. Update the Lambda function code to assume the role when creating new AWS accounts. Update the Lambda execution role to ensure it has permissions to assume the new role.
- D. In the management account, enable AWS Control Tower. Enable Control Tower’s delegated administration. Create a resource policy allowing the new AWS account to create new AWS accounts in Control Tower. Update the Lambda function code in the new AWS account to use the Control Tower API. Ensure the Lambda execution role has controltower:CreateAccount permission.
Correct Answer: A. In the management account, create a new IAM role with permissions required to create new accounts in Organizations. Allow the Lambda execution role in the new AWS account to assume this role. Update the Lambda function code to assume the role when creating new AWS accounts. Update the Lambda execution role to ensure it has permissions to assume the new role.
Explanation
AWS Organizations supports cross-account IAM role delegation. When Lambda must perform management-account operations from a member account, best practice is to create a role in the management account with required permissions and configure a trust policy allowing the member account’s Lambda execution role to assume it. AWS documentation specifies that organizations:CreateAccount permission is required and cross-account access should use role assumption—not direct permission assignment. Option A achieves this via role creation and trust relationship, granting necessary permissions only during execution, satisfying security requirements. Option B is incorrect because SCPs cannot grant account-creation permissions to another account; Option C incorrectly uses the Lambda service principal, potentially over-permissioning; Option D introduces unnecessary complexity with Control Tower.