AWS Certified Solutions Architect – Professional (SAP-C02) — Question 364

A financial company needs to create a separate AWS account for a new digital wallet application. The company uses AWS Organizations to manage its accounts. A solutions architect uses the IAM user Support1 from the management account to create a new member account with[email protected]as the email address.

What should the solutions architect do to create IAM users in the new member account?

Answer options

• A. Sign in to the AWS Management Console with AWS account root user credentials by using the 64-character password from the initial AWS Organizations email sent to[email protected]. Set up the IAM users as required.
• B. From the management account, switch roles to assume the OrganizationAccountAccessRole role with the account ID of the new member account. Set up the IAM users as required.
• C. Go to the AWS Management Console sign-in page. Choose “Sign in using root account credentials.” Sign in in by using the email address finance[email protected]and the management account's root password. Set up the IAM users as required.
• D. Go to the AWS Management Console sign-in page. Sign in by using the account ID of the new member account and the Support1 IAM credentials. Set up the IAM users as required.

Correct answer: B

Explanation

When a new member account is created via AWS Organizations, AWS automatically provisions an IAM role named OrganizationAccountAccessRole in the member account with full administrative privileges. Users in the management account can access the new member account by switching to this role, eliminating the need to configure or use root credentials initially. Other methods, such as using the management account's root password or using Support1 credentials directly in the new account, will fail because those credentials do not exist or apply to the new member account.