A company needs to create and manage multiple AWS accounts for a number of departments fr…

Question

A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team. How should a solutions architect meet these requirements?

Accepted Answer

Correct answer: B. B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access. — Option B is correct because the default OrganizationAccountAccessRole has administrative permissions, so it should be used to set up a new, restricted cross-account IAM role in each member account that trusts the security account. Option A is incorrect because trust relationships cannot be established with an IAM policy, only with an IAM role. Options C and D are incorrect because directly assuming the OrganizationAccountAccessRole would grant the security team full administrative access instead of the required read-only access.

AWS Certified Solutions Architect – Professional (SAP-C02) — Question 277

Answer options

Correct answer: B

Explanation