AWS Certified Solutions Architect – Professional (SAP-C02) — Question 351

A large payroll company recently merged with a small staffing company. The unified company now has multiple business units, each with its own existing AWS account.

A solutions architect must ensure that the company can centrally manage the billing and access policies for all the AWS accounts. The solutions architect configures AWS Organizations by sending an invitation to all member accounts of the company from a centralized management account.

What should the solutions architect do next to meet these requirements?

Answer options

• A. Create the OrganizationAccountAccess IAM group in each member account. Include the necessary IAM roles for each administrator.
• B. Create the OrganizationAccountAccessPolicy IAM policy in each member account. Connect the member accounts to the management account by using cross-account access.
• C. Create the OrganizationAccountAccessRole IAM role in each member account. Grant permission to the management account to assume the IAM role.
• D. Create the OrganizationAccountAccessRole IAM role in the management account. Attach the AdministratorAccess AWS managed policy to the IAM role. Assign the IAM role to the administrators in each member account.

Correct answer: C

Explanation

When member accounts join an organization via an invitation rather than being created within it, the OrganizationAccountAccessRole is not automatically provisioned. To enable administrative cross-account access, this role must be manually created in each invited member account with a trust policy that allows the management account to assume it. The other options are incorrect because they either configure the role in the wrong account or attempt to use IAM groups and policies in a way that does not establish the necessary cross-account trust.