AWS Certified SysOps Administrator – Associate — Question 467

A company has an AWS Lambda function in Account A. The Lambda function needs to read the objects in an Amazon S3 bucket in Account B. A SysOps administrator must create corresponding IAM roles in both accounts.
Which solution will meet these requirements?

Answer options

• A. In Account A, create a Lambda execution role to assume the role in Account B. In Account B. create a role that the function can assume to gain access to the S3 bucket.
• B. In Account A, create a Lambda execution role that provides access to the S3 bucket. In Account B, create a role that the function can assume.
• C. In Account A, create a role that the function can assume. In Account B, create a Lambda execution role that provides access to the S3 bucket.
• D. In Account A. create a role that the function can assume to gain access to the S3 bucket. In Account B, create a Lambda execution role to assume the role in Account A.

Correct answer: A

Explanation

To access resources in another AWS account, the Lambda function in Account A needs an execution role that permits it to call the sts:AssumeRole API on a role in Account B. Account B must contain an IAM role with a trust policy allowing Account A's execution role to assume it, along with an IAM policy granting read permissions to the target Amazon S3 bucket. Option A correctly outlines this cross-account delegation pattern, whereas the other options incorrectly assign the roles and trust relationships between the two accounts.