AWS Certified SysOps Administrator – Associate (legacy) — Question 37

An organization has two AWS accounts: Development and Production. A SysOps Administrator manages access of IAM users to both accounts. Some IAM users in Development should have access to certain resources in Production.
How can this be accomplished?

Answer options

• A. Create an IAM role in the Production account with the Development account as a trusted entity and then allow those users from the Development account to assume the Production account IAM role.
• B. Create a group of IAM users in the Development account, and add Production account service ARNs as resources in the IAM policy.
• C. Establish a federation between the two accounts using the on-premises Microsoft Active Directory, and allow the Development account to access the Production account through this federation.
• D. Establish an Amazon Cognito Federated Identity between the two accounts, and allow the Development account to access the Production account through this federation.

Correct answer: A

Explanation

The correct answer is A because creating an IAM role in the Production account that trusts the Development account allows specific users to assume the role, granting them the necessary access. Options B, C, and D do not effectively address the requirement for direct role assumption for resource access between the accounts.