AWS Certified Security – Specialty — Question 498

A company uses AWS Organization to manage 50 AWS accounts. The finance staff members log in as AWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidated billing information in the MasterPayer AWS account. They should not be able to view any other resources in the
MasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account.
Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

Answer options

• A. Create an IAM group for the finance users in the FinanceDept account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
• B. Create an IAM group for the finance users in the MasterPayer account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
• C. Create an AWS IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.
• D. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.

Correct answer: D

Explanation

To enable cross-account access, an IAM role must be created in the trusting account (MasterPayer) where the resources reside, and trusted users in the FinanceDept account must be allowed to assume it. Using a role with the specific ViewBilling permission ensures the finance users have access only to billing data, satisfying the principle of least privilege. In contrast, using the ReadOnlyAccess policy would grant unauthorized read permissions to all other AWS resources in the account.