AWS Certified Solutions Architect – Associate (SAA-C03) — Question 808

A company has two AWS accounts: Production and Development. The company needs to push code changes in the Development account to the Production account. In the alpha phase, only two senior developers on the development team need access to the Production account. In the beta phase, more developers will need access to perform testing.

Which solution will meet these requirements?

Answer options

• A. Create two policy documents by using the AWS Management Console in each account. Assign the policy to developers who need access.
• B. Create an IAM role in the Development account. Grant the IAM role access to the Production account. Allow developers to assume the role.
• C. Create an IAM role in the Production account. Define a trust policy that specifies the Development account. Allow developers to assume the role.
• D. Create an IAM group in the Production account. Add the group as a principal in a trust policy that specifies the Production account. Add developers to the group.

Correct answer: C

Explanation

To establish secure cross-account access, the target account (Production) must host the IAM role and define a trust policy that trusts the source account (Development). Users in the Development account can then be granted sts:AssumeRole permissions, which easily scales from two senior developers in the alpha phase to more testers in the beta phase. Creating the role in the Development account or attempting to use an IAM group as a principal in a trust policy are incorrect approaches for cross-account delegation.