What should the solutions architect do next to meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A large payroll company recently merged with a small staffing company.The unified company now has multiple business units, each with its own existing AWS account.A solutions architect must ensure that the company can centrally manage the billing and access policies for all the AWS accounts.The solutions architect configures AWS Organizations by sending an invitation to all member accounts of the company from a centralized management account.

What should the solutions architect do next to meet these requirements?

Create the OrganizationAccountAccess IAM group in each member account. Include the necessary IAM roles for each administrator.

Create the OrganizationAccountAccessPolicy IAM policy in each member account. Connect the member accounts to the management account by using cross-account access.

Create the OrganizationAccountAccessRole IAM role in each member account. Grant permission to the management account to assume the IAM role.

Create the OrganizationAccountAccessRole IAM role in the management account. Attach the AdministratorAccess AWS managed policy to the IAM role. Assign the IAM role to the administrators in each member account.

Explanations:

Creating the OrganizationAccountAccess IAM group in each member account does not facilitate centralized management or access control from the management account. IAM groups do not exist independently in member accounts for this purpose and are not needed for managing access across an organization.

The OrganizationAccountAccessPolicy IAM policy does not exist. AWS uses IAM roles and policies to manage access between accounts, and without a defined policy to allow cross-account access, this option does not effectively enable centralized management.

Creating the OrganizationAccountAccessRole IAM role in each member account allows the management account to assume the role. This is the standard approach for cross-account access in AWS Organizations, enabling centralized management of access and permissions across all accounts.

Creating the OrganizationAccountAccessRole IAM role in the management account is not sufficient. The role must be created in each member account to allow the management account to assume it. Additionally, attaching the AdministratorAccess policy at this level does not address the need for role-based access in the member accounts.

2025-10-21

1 Comment

  1. Virginia
    Author

    I measure that the answer is:
    Create the OrganizationAccountAccessRole IAM role in each member account. Grant permission to the management account to assume the IAM role.

Leave a Reply

Your email address will not be published. Required fields are marked *

eighteen − 5 =