Which combination of access changes will meet these requirements?
(Choose three.)
Create a trust relationship that allows users in the child accounts to assume the management account IAM role.
Create a trust relationship that allows users in the management account to assume the IAM roles of the child accounts.
Create an IAM role in each child account that has access to the AmazonEC2ReadOnlyAccess managed policy.
Create an IAM role in each child account to allow the sts:AssumeRole action against the management account IAM role’s ARN.
Create an IAM role in the management account that allows the sts:AssumeRole action against the child account IAM role’s ARN.
Create an IAM role in the management account that has access to the AmazonEC2ReadOnlyAccess managed policy.
Explanations:
The management account needs to assume the IAM roles in the child accounts to retrieve EC2 security group information. This trust relationship enables cross-account access.
The IAM role in each child account should have the AmazonEC2ReadOnlyAccess policy to allow read-only access to EC2 resources, including security groups and their rules.
An IAM role in the management account that allows the stsaction against the child account’s IAM role is necessary for the Lambda function in the management account to assume roles in the child accounts.
This option is not required, as it pertains to allowing child account users to assume roles in the management account, which is not necessary for this use case.
The IAM role in the child account should allow the management account to assume it, not the other way around. The stsaction is needed from the management account to the child accounts, not the reverse.
An IAM role in the management account should not have direct EC2 read-only permissions. The Lambda function needs to assume roles in child accounts, not access them directly with this policy.