ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 247 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 247
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage its AWS accounts. The company's DevOps team has developed an AWS Lambda function that calls the Organizations API to create new AWS accounts.

The Lambda function runs in the organization's management account. The DevOps team needs to move the Lambda function from the management account to a dedicated AWS account. The DevOps team must ensure that the Lambda function has the ability to create new AWS accounts only in Organizations before the team deploys the Lambda function to the new account.

Which solution will meet these requirements?

  • A. In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
  • B. In the management account, turn on delegated administration for Organizations. Create a new delegation policy that grants the new AWS account permission to create new AWS accounts in Organizations. Ensure that the Lambda execution role has the organizations:CreateAccount permission.
  • C. In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda service principal. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
  • D. In the management account, enable AWS Control Tower. Turn on delegated administration for AWS Control Tower. Create a resource policy that allows the new AWS account to create new AWS accounts in AWS Control Tower. Update the Lambda function code to use the AWS Control Tower API in the new AWS account. Ensure that the Lambda execution role has the controltower:CreateManagedAccount permission.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by xdkonorek2 at July 5, 2024, 6:13 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jamesf
Highly Voted 9 months, 1 week ago
Selected Answer: A
Create an IAM Role with Necessary Permissions: - In the management account, create an IAM role with permissions to call the AWS Organizations API for creating new accounts. Allow Role Assumption: - Configure this IAM role to be assumable by the Lambda execution role in the new AWS account. This way, the Lambda function in the new account can assume the role to gain the necessary permissions. Update Lambda Function and Execution Role: - Modify the Lambda function code in the new account to assume the role created in the management account when it needs to create new AWS accounts. Also, ensure the Lambda execution role in the new account has the permissions required to assume the role in the management account.
upvoted 5 times
jamesf
9 months, 1 week ago
Why not following options: B: Delegated administration in AWS Organizations typically refers to giving permissions to manage AWS Organizations itself, rather than delegating permissions to create new accounts. Creating new accounts via the Organizations API requires specific IAM permissions, not just a delegation policy. C: Allowing the Lambda service principal to assume an IAM role is not a valid approach for cross-account role assumption. Lambda functions assume roles that are explicitly allowed by their execution role, not service principals. D: AWS Control Tower manages accounts and governance but requires different permissions and APIs compared to AWS Organizations for creating new accounts. Control Tower also does not directly handle account creation in the way described; instead, it manages accounts and governance at a higher level.
upvoted 5 times
...
...
[Removed]
Most Recent 8 months, 3 weeks ago
Selected Answer: A
A for me
upvoted 3 times
...
trungtd
9 months, 4 weeks ago
Selected Answer: A
- Create IAM Role in Management Account: include actions like "organizations:CreateAccount" - Allow Role Assumption: specifying the ARN of the Lambda execution role in the new account in the trust policy of the IAM role. - Using the AWS SDK to assume the role and get temporary credentials in Lambda's code - Ensure that the Lambda execution role in the new account has the necessary permissions to assume the IAM role created in the management account.
upvoted 4 times
...
tgv
10 months ago
---> A
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago