Which combination of access changes will meet these requirements?
(Choose three.)
Create a trust relationship that allows users in the member accounts to assume the management account IAM role.
Create a trust relationship that allows users in the management account to assume the IAM roles of the member accounts.
Create an IAM role in each member account that has access to the AmazonEC2ReadOnlyAccess managed policy.
Create an I AM role in each member account to allow the sts:AssumeRole action against the management account IAM role’s ARN.
Create an I AM role in the management account that allows the sts:AssumeRole action against the member account IAM role’s ARN.
Create an IAM role in the management account that has access to the AmazonEC2ReadOnlyAccess managed policy.
Explanations:
The management account needs permissions to assume roles in the member accounts, enabling it to retrieve EC2 information.
Each member account requires a role with AmazonEC2ReadOnlyAccess to allow the Lambda function to view EC2 security group rules.
The management account needs permissions to assume roles in the member accounts to access EC2 security group data.
The management account does not need to allow users in the member accounts to assume its IAM role; it’s the other way around.
The member account IAM role should allow the management account to assume it, not the other way around.
The management account only needs the ability to assume the roles in the member accounts, not a direct EC2 policy itself.
I think the answer is:
Create a trust relationship that allows users in the management account to assume the IAM roles of the member accounts.