Q46 — AWS SAP-C02 Ch.3

Question 46 of 75 | ← Chapter 3

Q271. A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team. How should a solutions architect meet these requirements?

Correct Answer: B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role-win read only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.

Explanation

This approach would involve creating a new IAM role in each member account that has read-only access to AWS resources within that account. The OrganizationAccountAccessRole IAM role can be used to create these roles automatically across all member accounts. Once the IAM roles have been set up, a trust relationship can be established between the IAM role in each member account and the security account so that the security team can assume the IAM role and gain read-only access to all member accounts from their own AWS account. Allow security team to assume to OrganizationAccountAccessRole means it's full access, not read only OrganizationAccountAccessRole has full administrative permissions in the member account. --