Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 37 discussion

Explanation: (B) The trust relationship enables an IAM entity (user, group, or role) to assume a role. In this case, the entities in the management account need to assume roles in the member accounts. (C) The IAM role in each member account should have a policy attached that grants read-only access to EC2 instances. The AmazonEC2ReadOnlyAccess managed policy provides this access. (E) An IAM role in the management account should be created that has the permission to perform the sts:AssumeRole action against the member account IAM role's ARN. This allows entities assuming this role to switch to the roles in the member accounts and perform actions according to the permissions of those roles.

BCE are correct: B: create trust relationship for management to assume role in member accounts C: create role in member account that has access to AmazoneEC2 E: Create IAM role in management account that allow access to member account IAM role

The security team wants to programmatically retrieve this information from the member accounts using an AWS Lambda function in the management account of the organization. ReadOnlyAccess and option B grant the assumeRole Besides that the correct resource is "IAM" not "I AM" So BCF is correct

B- Member accounts should trust Management account C- Memeber accounts should have a Role athat has the necessary permission E- Managment account should have a IAM user account that has stsAssume role permission for the roles created in member accounts

BCE is wrong. They want to programmatically therefore B is definitenly wrong. The Lambda function IAM Role ARN in the management account needs to be able to assume a role in the member account that has the AmazonEC2ReadOnlyAccess attached to it. Therefore, I will go with C, D, E

BCE correct

BCE is right.

B, C and E

B, C and E

A:By creating a trust relationship that allows users in the member accounts to assume the IAM role in the management account, they will have the necessary permissions to access resources and retrieve the required information. C:To grant the necessary permissions for retrieving information about EC2 security groups, an IAM role should be created in each member account. This role should have the AmazonEC2ReadOnlyAccess managed policy attached, which provides the required permissions. E:In the management account, an IAM role should be created that allows assuming the IAM role in the member accounts. This role should have the necessary permissions to perform the sts:AssumeRole action against the ARN of the IAM roles in the member accounts.

BCE will create correct cross account permission

acd looks good)

ACE I guess https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Correct answer

Ill go with BCF