AWS Certified Security – Specialty (SCS-C02) — Question 262

A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company’s IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role, the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

Answer options

• A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
• B. Create an SCP that grants permissions to the top-level account.
• C. Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
• D. Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

Correct answer: A

Explanation

The correct action is to attach a policy to the IAM user that allows them to assume the specific role created in the top-level account, which grants the necessary permissions. Options B, C, and D do not provide the appropriate mechanism for allowing IAM users in the business unit accounts to assume roles for accessing logs; they either focus on incorrect permissions or methods that do not align with AWS best practices.