Which solution will meet this requirement?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A company is migrating its development and production workloads to a new organization in AWS Organizations.The company has created a separate member account for development and a separate member account for production.Consolidated billing is inked to the management account.In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts.

Which solution will meet this requirement?

Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.

Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.

Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.

Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.

Explanations:

In this scenario, creating a cross-account role in the management account is not feasible because the IAM user in the management account needs permissions to stop or terminate resources in both member accounts. The role should be created in the member accounts, not the management account.

This option requires creating IAM users in each member account and a cross-account role in the management account, but the cross-account role must be created in the member accounts and not in the management account to allow the IAM user to manage resources in those accounts.

Creating IAM users in the member accounts and adding the IAM user from the management account to the groups in the member accounts would require managing roles or groups that aren’t ideal for cross-account permissions. The correct approach requires cross-account roles, not group memberships in member accounts.

This option correctly suggests creating an IAM user in the management account, and cross-account roles in the member accounts, with appropriate trust policies to allow the IAM user in the management account to access resources in the member accounts for stopping or terminating resources.

2026-03-20

2 Comments

  1. Martha
    Author

    I reckon the answer is:
    Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.

  2. Ashley
    Author

    I measure that the answer is:
    Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

three × five =