AWS Certified Solutions Architect – Professional — Question 398

A financial company needs to create a separate AWS account for a new digital wallet application. The company uses AWS Organizations to manage its accounts.
A solutions architect uses the IAM user Support1 from the master account to create a new member account with[email protected]as the email address.
What should the solutions architect do to create IAM users in the new member account?

Answer options

• A. Sign in to the AWS Management Console with AWS account root user credentials by using the 64-character password from the initial AWS Organizations email sent to[email protected]. Set up the IAM users as required.
• B. From the master account, switch roles to assume the OrganizationAccountAccessRole role with the account ID of the new member account. Set up the IAM users as required.
• C. Go to the AWS Management Console sign-in page. Choose ג€Sign in using root account credentials.ג€ Sign in by using the email address[email protected]and the master account's root password. Set up the IAM users as required.
• D. Go to the AWS Management Console sign-in page. Sign in by using the account ID of the new member account and the Support1 IAM credentials. Set up the IAM users as required.

Correct answer: B

Explanation

When a new member account is created via AWS Organizations, AWS automatically provisions an administrative IAM role named OrganizationAccountAccessRole in the member account. Users in the management account with appropriate permissions can assume this role to manage the member account and set up local IAM users. This approach avoids the need to immediately configure or use the root user credentials of the new member account.