AWS Certified Solutions Architect – Professional — Question 760
A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team.
How should a solutions architect meet these requirements?
Answer options
- A. Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member account. Establish a trust relationship between the IAM policy in each member account and the security account. Ask the security team to use the IAM policy to gain access.
- B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
- C. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the management account from the security account. Use the generated temporary credentials to gain access.
- D. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the member account from the security account. Use the generated temporary credentials to gain access.
Correct answer: B
Explanation
To grant the security team read-only access without giving them administrative privileges, a new IAM role with read-only permissions must be created in each member account. Using the pre-existing OrganizationAccountAccessRole (which has administrator privileges) allows the administrator to bootstrap this new read-only IAM role and configure its trust policy to trust the security team's account. Options C and D are incorrect because assuming the OrganizationAccountAccessRole directly would grant full administrator access to the security team, violating the principle of least privilege, while Option A is incorrect because trust relationships are established with IAM roles, not IAM policies.