How can this be accomplished?
Create an IAM role in the Production account with the Development account as a trusted entity and then allow those users from the Development account to assume the Production account IAM role.
Create a group of IAM users in the Development account, and add Production account service ARNs as resources in the IAM policy.
Establish a federation between the two accounts using the on-premises Microsoft Active Directory, and allow the Development account to access the Production account through this federation.
Establish an Amazon Cognito Federated Identity between the two accounts, and allow the Development account to access the Production account through this federation.
Explanations:
This is the correct approach. By creating an IAM role in the Production account and allowing the Development account as a trusted entity, users in the Development account can assume the role and gain access to resources in the Production account. This is done through role assumption and cross-account access.
This approach is incorrect. You cannot add service ARNs from another account directly into an IAM policy in the Development account. IAM policies are specific to resources within the same account unless role assumption or other methods like cross-account access are used.
Federation through Microsoft Active Directory does not provide the mechanism for managing access between AWS accounts. The federation model for cross-account access would typically involve IAM roles or cross-account trust, not an Active Directory federation.
Amazon Cognito Federated Identity is used for user authentication and access control across external identity providers, but it does not directly address cross-account IAM role-based access in AWS. This solution is more suitable for managing federated access to AWS resources for end users, not for managing cross-account access between AWS accounts.
I systematize that the answer is:
Create an IAM role in the Production account with the Development account as a trusted entity and then allow those users from the Development account to assume the Production account IAM role.