AWS Certified SysOps Administrator – Associate (legacy) — Question 661

A company has a multi-account AWS environment that includes the following:
✑ A central identity account that contains all IAM users and groups
✑ Several member accounts that contain IAM roles
A SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts.
How should the SysOps administrator accomplish this task?

Answer options

• A. In the member account, add sts:AssumeRole permissions to the role's policy. In the identity account, add a trust policy to the group that specifies the account number of the member account.
• B. In the member account, add the group Amazon Resource Name (ARN) to the role's trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.
• C. In the member account, add the group Amazon Resource Name (ARN) to the role's trust policy. In the identity account, add an inline policy to the group with sts:PassRole permissions.
• D. In the member account, add the group Amazon Resource Name (ARN) to the role's inline policy. In the identity account, add a trust policy to the group with sts:AssumeRole permissions.

Correct answer: A

Explanation

To enable cross-account delegation, the target role in the member account must permit the identity account to assume it, while the identity account's group must have permission to call the sts:AssumeRole API. Option A correctly identifies this flow by establishing the sts:AssumeRole capability on the member account's role and mapping the trust relationship from the identity account to the member account. Other options are incorrect because IAM groups cannot be designated as principals in trust policies, and sts:PassRole is used for passing roles to AWS services rather than cross-account user delegation.