What should a solutions architect recommend?
Create two policy documents using the AWS Management Console in each account. Assign the policy to developers who need access.
Create an IAM role in the Development account. Give one IAM role access to the Production account. Allow developers to assume the role.
Create an IAM role in the Production account with the trust policy that specifies the Development account. Allow developers to assume the role.
Create an IAM group in the Production account and add it as a principal in the trust policy that specifies the Production account. Add developers to the group.
Explanations:
Creating policy documents in each account and assigning them to developers directly is not an ideal approach. It lacks the flexibility needed to manage access across accounts, especially as the team scales in the beta phase.
Creating an IAM role in the Development account and giving it access to the Production account is not recommended, as roles should generally be created in the target account (Production) to allow cross-account access securely.
Creating an IAM role in the Production account with a trust policy for the Development account allows the designated developers to assume the role and access resources securely in Production. This setup is scalable and aligns with AWS best practices for cross-account access.
Adding an IAM group in the Production account as a principal in the trust policy is not feasible because groups cannot be added to trust policies, which specify entities (like accounts or roles) that can assume a role.