AWS Certified DevOps Engineer – Professional — Question 208

A company has multiple child accounts that are part of an organization in AWS Organizations. The security team needs to review every Amazon EC2 security group and their inbound and outbound rules. The security team wants to programmatically retrieve this information from the child accounts using an AWS Lambda function in the management account of the organization.
Which combination of access changes will meet these requirements? (Choose three.)

Answer options

• A. Create a trust relationship that allows users in the child accounts to assume the management account IAM role.
• B. Create a trust relationship that allows users in the management account to assume the IAM roles of the child accounts.
• C. Create an IAM role in each child account that has access to the AmazonEC2ReadOnlyAccess managed policy.
• D. Create an IAM role in each child account to allow the sts:AssumeRole action against the management account IAM role's ARN.
• E. Create an IAM role in the management account that allows the sts:AssumeRole action against the child account IAM role's ARN.
• F. Create an IAM role in the management account that has access to the AmazonEC2ReadOnlyAccess managed policy.

Correct answer: B, C, E

Explanation

The correct answers are B, C, and E. Option B enables the management account to assume roles in child accounts, which is necessary for accessing their resources. Option C ensures that the IAM roles in the child accounts have the necessary permissions to view EC2 resources. Option E allows the management account to assume roles in child accounts to retrieve the required security group information. Options A, D, and F do not fulfill the needed access structure for this scenario.