Q66 — AWS SAP-C02 Ch.3

Question 66 of 75 | ← Chapter 3

Q291. A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts. Which solution will meet this requirement?

Correct Answer: D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.

Explanation

To allow an IAM user in the management account to stop or terminate resources in both member accounts, a solution involving cross-account access should be implemented. Since we want to grant permissions to stop or terminate resources in both member accounts, we need to create a cross-account role with the necessary permissions and link it to the IAM user. Therefore, the correct solution is: Step D creates an IAM user in the management account and then creates cross-account roles in each member account that have the necessary permissions to stop or terminate resources. The solutions architect then grants access to the cross-account roles in each member account to the IAM user in the management account by using a trust policy. Option A is incorrect because configuring a cross-account role with least privilege access in the management account would not grant access to IAM users in the member accounts. Option B is incorrect because creating separate IAM users for each member account would result in additional overhead and potential security risks. Option C is also incorrect because creating an IAM group in the member accounts would not provide access to the IAM user in the management account.