Exam AWS Certified Solutions Architect - Professional topic 1 question 917 discussion

Answer is D. The member account should create a role which a IAM user from master account will use by AssumeRole API of AWS. Also, following note may help. Actually, by default 'OrganizationAccountAccessRole' role (role has admin access) should be created in member accounts that joins by invite (for new account). However, for existing account who wants to join such role needs to be created manually (as it will not be automatically created). Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.

Correct d

D is the right answer for me

The solution that will meet this requirement is D. - Create an IAM user in the management account. - In the member accounts, create cross-account roles that have least privilege access. - Grant the IAM user access to the role by using a trust policy. In this solution, the IAM user is created in the management account and granted access to the cross-account roles in the member accounts through trust policies. This allows the IAM user to stop or terminate resources in both member accounts while still adhering to the principle of least privilege.

easy 100% D

if it mentioned the company uses multiple regions then Delegated admin would not be ideal but assuming its all same region DA works for me so final answer ADF

D - seems to be the best option Management account Iam user = allowed to assume into role1 Dev Account Role1 = Accept access from management account Allow assume rights from IAMxxx Prod Account Role1 = Accept access from management account Allow assume rights from IAMxxx

Answer is A - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Why not A?