How should a solutions architect meet these requirements?
Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member account. Establish a trust relationship between the IAM policy in each member account and the security account. Ask the security team to use the IAM policy to gain access.
Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the management account from the security account. Use the generated temporary credentials to gain access.
Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the member account from the security account. Use the generated temporary credentials to gain access.
Explanations:
The OrganizationAccountAccessRole IAM role is a predefined role that allows access to the management account. Creating a new IAM policy in each member account with a trust relationship does not facilitate centralized read-only access for the security account. The trust relationship should be with an IAM role, not a policy.
Creating a new IAM role with read-only access in each member account and establishing a trust relationship with the security account allows the security team to assume this role for read-only access across all accounts, aligning with AWS best practices for cross-account access.
The OrganizationAccountAccessRole IAM role is intended for the management account and cannot be used directly from the security account to access member accounts. The security team needs to assume a role in each member account, not the management account.
While AWS STS can be used to call the AssumeRole API, the OrganizationAccountAccessRole IAM role is not appropriate for this use case. The security team needs a separate read-only IAM role in each member account to access resources, rather than attempting to use the OrganizationAccountAccessRole directly from the security account.