Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 246 discussion

B is right A is incorrect as you CANNOT establish a trust relationship between the IAM policy and account C and D does NOT talk about readonly access

So there is 3 parts, security account, member account, org account Goal: Security account-> member account In org account, use org crossAccountAccessRole-> create ReadOnlyRole in member account Build trust: security account & member account Security account assume member account ReadOnlyRole

D is incorrect. OrganizationAccountAccessRole will have AdministratorAccess privileage.

D Ans D. STS AssumeRole with OrganizationAccountAccessRole in Member Account: Pros: Follows best practices for cross-account access using temporary credentials. Minimizes complexity by leveraging the pre-existing OrganizationAccountAccessRole. Cons: Security team needs access to each member account to assume the role. Therefore, option D, using AWS STS to call the AssumeRole API for the OrganizationAccountAccessRole in each member account from the security account, is the most secure and efficient solution. This approach leverages existing IAM roles, minimizes configuration overhead, and adheres to best practices for cross-account access using temporary credentials.

Option B

Correct B.

its a b

B - You need a role.

b-b-b-b-b-b-b

B is classic usage of Cross Account Role

oh labiba is 'B' To meet the requirements, a solutions architect should choose option B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access. By using the OrganizationAccountAccessRole IAM role, the solutions architect can create a new IAM role with read-only access in each member account. This allows the security team to have read-only access to all accounts from their own AWS account. The trust relationship between the IAM role in each member account and the security account ensures that the security team can assume the IAM role and access the necessary resources.

B is the answer

GPT: This approach aligns with the AWS best practice of using IAM roles to delegate permissions across AWS accounts. The OrganizationAccountAccessRole is a role that is automatically created when you create a new account in an organization. This role can be assumed by the master account, but it can also be assumed by other accounts if a trust relationship is established.

Option B suggests using the OrganizationAccountAccessRole IAM role to create a new IAM role in each member account. This IAM role will have read-only access permissions. By establishing a trust relationship between the IAM role in each member account and the security account, the security team's AWS account is granted access to the member accounts.