Q52 — AWS DOP-C02 Ch.3

Question 52 of 100 | ← Chapter 3

AnyCompany uses AWS Organizations to create and manage multiple AWS accounts. AnyCompany recently acquired a competitor, Example Corp. During the acquisition process, Example Corp’s single AWS account joined AnyCompany’s management account via an organization invitation. AnyCompany moved the new member account into an OU dedicated to Example Corp. AnyCompany’s DevOps engineers have an IAM user that assumes a role named OrganizationAccountAccessRole to access member accounts. This role is configured with full administrative permissions. When a DevOps engineer attempts to assume the role in the new Example Corp member account using the AWS Management Console, they receive the following error: 'One or more parameters in the request are invalid. Please check your information or contact your administrator.' Which solution enables the DevOps engineer to access the new member account?

Correct Answer: C. In the new member account, create a new IAM role named OrganizationAccountAccessRole. Attach the AdministratorAccess AWS managed policy to the role. In the role’s trust policy, grant the management account permission to assume the role.

Explanation

Cross-account role access in AWS Organizations requires a correctly configured IAM role in the target account. When an existing account joins an organization via invitation, it does not automatically generate the default OrganizationAccountAccessRole. AWS documentation states this role is typically auto-created only when accounts are created through Organizations. If the invited account lacks this role, it must be manually created with the same name, appropriate permissions, and a trust policy allowing the management account to assume it. Option C resolves the issue by creating the role and configuring its trust policy in the target account, addressing the root cause of missing role or incorrect trust relationship. Other options do not directly resolve the absence of the role or improper trust configuration.