Which solution will meet these requirements?
Create two policy documents by using the AWS Management Console in each account. Assign the policy to developers who need access.
Create an IAM role in the Development account. Grant the IAM role access to the Production account. Allow developers to assume the role.
Create an IAM role in the Production account. Define a trust policy that specifies the Development account. Allow developers to assume the role.
Create an IAM group in the Production account. Add the group as a principal in a trust policy that specifies the Production account. Add developers to the group.
Explanations:
Creating separate policy documents in each account does not facilitate cross-account access. Policies are account-specific, and this approach would require manual management for each developer’s access rights, which is not scalable for the beta phase.
Creating an IAM role in the Development account that grants access to the Production account does not provide the necessary trust relationship. Roles need to be created in the target account (Production) for users to assume them.
Creating an IAM role in the Production account with a trust policy that specifies the Development account allows developers in the Development account to assume this role. This setup provides controlled access and can be easily scaled to include more developers during the beta phase.
An IAM group cannot be added as a principal in a trust policy. Trust policies are designed to specify IAM roles and accounts, not groups. This would not effectively grant the required access for developers in the Development account.
I deduce that the answer is:
Create an IAM role in the Production account. Define a trust policy that specifies the Development account. Allow developers to assume the role.