Which solution will meet these requirements?
In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
In the management account, turn on delegated administration for Organizations. Create a new delegation policy that grants the new AWS account permission to create new AWS accounts in Organizations. Ensure that the Lambda execution role has the organizations:CreateAccount permission.
In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda service principal. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
In the management account, enable AWS Control Tower. Turn on delegated administration for AWS Control Tower. Create a resource policy that allows the new AWS account to create new AWS accounts in AWS Control Tower. Update the Lambda function code to use the AWS Control Tower API in the new AWS account. Ensure that the Lambda execution role has the controltower:CreateManagedAccount permission.
Explanations:
This option allows the Lambda function in the new account to assume a role in the management account that has the necessary permissions to create accounts in Organizations. This adheres to the principle of least privilege and ensures that account creation is securely managed from the dedicated AWS account.
Delegated administration allows accounts within the organization to perform specific actions, but it does not grant permissions for actions not directly associated with that account. The Lambda function in the new account would still require permissions from the management account, making it less secure. Additionally, the option lacks the detail of how the Lambda function will execute with the necessary permissions.
Allowing the Lambda service principal to assume the IAM role does not align with best practices. The Lambda function should assume a role that specifically allows it to create accounts in Organizations, but this option does not restrict the permissions appropriately, potentially allowing broader access than intended.
While enabling AWS Control Tower and delegated administration could help manage accounts, this approach requires using the Control Tower API, which may not be appropriate or necessary if the goal is to utilize the Organizations API directly. This introduces complexity and does not focus on the core requirement of account creation via Organizations.
I deduce that the answer is:
In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.