AWS Certified Solutions Architect – Professional — Question 919

A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is inked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts.
Which solution will meet this requirement?

Answer options

• A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
• B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
• C. Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
• D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.

Correct answer: D

Explanation

To allow an IAM user in a management account to manage resources in member accounts, you must configure IAM roles inside the target member accounts that trust the management account. The IAM user can then assume these cross-account roles to perform actions like stopping or terminating resources. IAM users cannot be directly added to IAM groups in other accounts, and creating the roles in the management account itself would not grant the necessary permissions over resources in the member accounts.