AWS Certified Solutions Architect – Professional (SAP-C02) — Question 264

A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts.

Which solution will meet this requirement?

Answer options

• A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
• B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
• C. Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
• D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.

Correct answer: D

Explanation

To enable an IAM user in a management account to perform actions in member accounts, the member accounts must contain cross-account IAM roles with the necessary permissions that trust the management account's IAM user. The IAM user in the management account can then assume these roles to stop or terminate resources. Option A is incorrect because creating the cross-account role in the management account does not grant access to resources in the member accounts, Option B reverses the trust relationship, and Option C is impossible since IAM groups cannot contain users from other AWS accounts.