Q66 — AWS SAP-C02 Ch.3
Question 66 of 75 | ← Chapter 3
Q291. A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts. Which solution will meet this requirement?
- A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
- B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
- C. Create an IAM user in the management account In the member accounts, create an IAM group that has least privilege access.Add the IAM user from the management account to each IAM group in the member accounts.
- D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy. ✓
Correct Answer: D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.
Explanation
To allow an IAM user in the management account to stop or terminate resources in both member accounts, a solution involving cross-account access should be implemented. Since we want to grant permissions to stop or terminate resources in both member accounts, we need to create a cross-account role with the necessary permissions and link it to the IAM user. Therefore, the correct solution is: Step D creates an IAM user in the management account and then creates cross-account roles in each member account that have the necessary permissions to stop or terminate resources. The solutions architect then grants access to the cross-account roles in each member account to the IAM user in the management account by using a trust policy. Option A is incorrect because configuring a cross-account role with least privilege access in the management account would not grant access to IAM users in the member accounts. Option B is incorrect because creating separate IAM users for each member account would result in additional overhead and potential security risks. Option C is also incorrect because creating an IAM group in the member accounts would not provide access to the IAM user in the management account.