Which solution will meet this requirement?
Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.
Explanations:
In this scenario, creating a cross-account role in the management account is not feasible because the IAM user in the management account needs permissions to stop or terminate resources in both member accounts. The role should be created in the member accounts, not the management account.
This option requires creating IAM users in each member account and a cross-account role in the management account, but the cross-account role must be created in the member accounts and not in the management account to allow the IAM user to manage resources in those accounts.
Creating IAM users in the member accounts and adding the IAM user from the management account to the groups in the member accounts would require managing roles or groups that aren’t ideal for cross-account permissions. The correct approach requires cross-account roles, not group memberships in member accounts.
This option correctly suggests creating an IAM user in the management account, and cross-account roles in the member accounts, with appropriate trust policies to allow the IAM user in the management account to access resources in the member accounts for stopping or terminating resources.
I reckon the answer is:
Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.