AWS Certified Solutions Architect – Professional (SAP-C02) — Question 300

A company is using AWS Organizations with a multi-account architecture. The company's current security configuration for the account architecture includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies.

A solutions architect needs to allow an IAM user in Account A to assume a role in Account B.

Which combination of steps must the solutions architect take to meet this requirement? (Choose three.)

Answer options

• A. Configure the SCP for Account A to allow the action.
• B. Configure the resource-based policies to allow the action.
• C. Configure the identity-based policy on the user in Account A to allow the action.
• D. Configure the identity-based policy on the user in Account B to allow the action.
• E. Configure the trust policy on the target role in Account B to allow the action.
• F. Configure the session policy to allow the action and to be passed programmatically by the GetSessionToken API operation.

Correct answer: A, C, E

Explanation

To enable cross-account delegation, the IAM user in Account A must be granted permission to perform the assume role action via an identity-based policy, and the target role in Account B must trust Account A through its role trust policy. Additionally, because AWS Organizations is used, the Service Control Policy (SCP) governing Account A must allow the sts:AssumeRole action. Resource-based policies, identity-based policies in Account B for Account A's user, and GetSessionToken session policies are not appropriate mechanisms for establishing this cross-account trust.