Which combination of steps will meet these requirements?
(Choose two.)
In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts.
In the other AWS accounts, create an IAM role that has minimal permissions. Add the centralized account’s Lambda IAM role as a trusted entity.
In the centralized account, create an IAM role that has roles of the other accounts as trusted entities. Provide minimal permissions.
In the other AWS accounts, create an IAM role that has permissions to assume the role of the centralized account. Add the Lambda service as a trusted entity.
In the other AWS accounts, create an IAM role that has minimal permissions. Add the Lambda service as a trusted entity.
Explanations:
This option allows the Lambda functions in the centralized account to assume roles in other accounts. The inline policy provides permissions to access resources in other AWS accounts.
This option allows the centralized account’s Lambda functions to assume the role in other accounts. The IAM role in each account has minimal permissions and trusts the centralized account.
Creating an IAM role with other accounts as trusted entities in the centralized account is unnecessary, as roles in other accounts should grant permissions to the centralized Lambda function.
The centralized account’s role does not need to be assumed by roles in other accounts; instead, it should assume roles in those accounts for access.
Granting the Lambda service as a trusted entity in each account does not allow cross-account access, as the centralized account’s role needs to be trusted, not the Lambda service itself.
I rank that the answer is:
In the centralized account, create an IAM role that has the Lambda service as a trusted entity. Add an inline policy to assume the roles of the other AWS accounts.