How should a solutions architect meet these requirements?
Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member account. Establish a trust relationship between the IAM policy in each member account and the security account. Ask the security team to use the IAM policy to gain access.
Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the management account from the security account. Use the generated temporary credentials to gain access.
Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the member account from the security account. Use the generated temporary credentials to gain access.
Explanations:
The OrganizationAccountAccessRole is an IAM role that allows management account access, but creating a new IAM policy in each member account does not establish the necessary trust relationship for cross-account access. Trust relationships must be defined for IAM roles, not policies.
This option properly utilizes the OrganizationAccountAccessRole by creating a new IAM role with read-only access in each member account. Establishing a trust relationship between this IAM role and the security account allows the security team to assume the role and gain access to all member accounts.
This option suggests using the AssumeRole API for the OrganizationAccountAccessRole in the management account. However, the security team needs access to member accounts, not the management account. The OrganizationAccountAccessRole does not facilitate direct access to member accounts for the security team.
While this option involves the security team using AWS STS to assume a role, it incorrectly implies that the security team would assume the OrganizationAccountAccessRole in the member account. This role is intended for the management account and does not provide read-only access to member accounts directly.
It seems to me that the answer is:
Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.