AWS Certified Solutions Architect – Professional — Question 418

You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment.
You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts.
Identify which option will allow you to achieve this goal.

Answer options

• A. Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
• B. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
• C. Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
• D. Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Correct answer: C

Explanation

To enable administrative control across multiple AWS accounts, you must set up cross-account access by creating IAM roles in the target accounts (Dev and Test) that trust the originating account (Master). Administrators in the Master account can then assume these roles to perform actions like stopping or deleting resources. Consolidated Billing is strictly for billing aggregation and does not grant any cross-account resource permissions by default.