ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 147 - SCS-C02 discussion

Report
Export

A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account.

Which combination of steps must the company perform to meet this requirement? (Select TWO.)

A.
Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.
Answers
A.
Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.
B.
Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.
Answers
B.
Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.
C.
Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.
Answers
C.
Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.
D.
Establish a trust relationship between the IAM user and the AWS account that contains the resources.
Answers
D.
Establish a trust relationship between the IAM user and the AWS account that contains the resources.
E.
Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.
Answers
E.
Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.
Suggested answer: B, C

Explanation:

To allow cross-account access to resources using IAM roles, the following steps are required:

Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role's trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account.

Ensure that the IAM user has permission to assume the role in their own AWS account. This can be done by creating an identity policy that allows the sts:AssumeRole action and attaching it to the IAM user or their group.

Ensure that there are no service control policies (SCPs) in the organization that owns the resources that deny or restrict access to the sts:AssumeRole action or the role itself. SCPs are applied to all accounts in an organization and can override any permissions granted by IAM policies.

Verified

Reference:

https://repost.aws/knowledge-center/cross-account-access-iam

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

asked 16/09/2024
C/1094 WOLOGUEDE COTONOU – BENIN NDENDE
36 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first