ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 152 - SCS-C02 discussion

Report
Export

A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company's IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

A.
Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
Answers
A.
Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
B.
Create an SCP that grants permissions to the top-level account.
Answers
B.
Create an SCP that grants permissions to the top-level account.
C.
Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
Answers
C.
Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role's ARN in the policy.
D.
Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
Answers
D.
Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
Suggested answer: A

Explanation:

To allow an IAM user in one AWS account to access resources in another AWS account using IAM roles, the following steps are required:

Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role's trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account.

Attach a policy to the IAM user in the trusted account that allows the user to assume the role in the trusting account. The policy must specify the ARN of the role that was created in the trusting account.

The IAM user can then switch roles or use temporary credentials to access the resources in the trusting account.

Verified

Reference:

https://repost.aws/knowledge-center/cross-account-access-iam

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

asked 16/09/2024
Reece Scarley
43 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first