How should the SysOps administrator accomplish this task?

By:
In: SOA-C01
Tagged:
With: 1 Comment
A company has a multi-account AWS environment that includes the following:✑ A central identity account that contains all IAM users and groups✑ Several member accounts that contain IAM rolesA SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts.

How should the SysOps administrator accomplish this task?

In the member account, add sts:AssumeRole permissions to the role’s policy. In the identity account, add a trust policy to the group that specifies the account number of the member account.

In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.

In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:PassRole permissions.

In the member account, add the group Amazon Resource Name (ARN) to the role’s inline policy. In the identity account, add a trust policy to the group with sts:AssumeRole permissions.

Explanations:

In the member account, thests:AssumeRolepermission should be in the trust policy of the role, not the role’s policy. The trust policy defines who can assume the role. The identity account should not add a trust policy to the group, but rather grant thests:AssumeRolepermission through an inline policy for the group.

The member account’s role trust policy should include the IAM group ARN to allow assumption by the group. The identity account must grant thests:AssumeRolepermission to the group via an inline policy to permit the group members to assume the role.

Thests:PassRolepermission is incorrect because this permission is used to allow passing roles to other resources (e.g., EC2 instances) and not for assuming roles. The group needs thests:AssumeRolepermission, notsts:PassRole.

The trust policy should reside in the role in the member account and should specify the IAM group ARN, but the identity account does not need a trust policy for the group. The group needssts:AssumeRolepermission via an inline policy in the identity account.

2025-10-05

1 Comment

  1. Donald
    Author

    I reckon the answer is:
    In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 2 =