AWS Certified Solutions Architect – Associate (SAA-C02) — Question 403

A company has two AWS accounts: Production and Development. There are code changes ready in the Development account to push to the Production account.
In the alpha phase, only two senior developers on the development team need access to the Production account. In the beta phase, more developers might need access to perform testing as well.
What should a solutions architect recommend?

Answer options

• A. Create two policy documents using the AWS Management Console in each account. Assign the policy to developers who need access.
• B. Create an IAM role in the Development account. Give one IAM role access to the Production account. Allow developers to assume the role.
• C. Create an IAM role in the Production account with the trust policy that specifies the Development account. Allow developers to assume the role.
• D. Create an IAM group in the Production account and add it as a principal in the trust policy that specifies the Production account. Add developers to the group.

Correct answer: C

Explanation

To enable secure cross-account access from the Development account to the Production account, a solutions architect should establish an IAM role in the target (Production) account that trusts the source (Development) account. This allows developers to temporarily assume the role using STS, providing a highly secure and scalable solution as access requirements expand from alpha to beta phases. Creating the role in the Development account or using local groups across accounts does not correctly establish the cross-account trust relationship.