DOP-C02 · Question #262
DOP-C02 Question #262: Real Exam Question with Answer & Explanation
The correct answer is A: In the management account, create a new IAM role that has the necessary permission to create. Explanation Option A is correct because creating a cross-account IAM role in the management account with the necessary Organizations permissions, then configuring the Lambda function in the dedicated account to assume that role, is the precise and minimal solution required. This
Question
A company uses an organization in AWS Organizations to manage its AWS accounts. The company's DevOps team has developed an AWS Lambda function that calls the Organizations API to create new AWS accounts. The Lambda function runs in the organization's management account. The DevOps team needs to move the Lambda function from the management account to a dedicated AWS account. The DevOps team must ensure that the Lambda function has the ability to create new AWS accounts only in Organizations before the team deploys the Lambda function to the new account. Which solution will meet these requirements?
Options
- AIn the management account, create a new IAM role that has the necessary permission to create
- BIn the management account, turn on delegated administration for Organizations. Create a new
- CIn the management account, create a new IAM role that has the necessary permission to create
- DIn the management account, enable AWS Control Tower. Turn on delegated administration for
Explanation
Explanation
Option A is correct because creating a cross-account IAM role in the management account with the necessary Organizations permissions, then configuring the Lambda function in the dedicated account to assume that role, is the precise and minimal solution required. This follows the standard AWS cross-account access pattern: the management account trusts the dedicated account's Lambda execution role, allowing it to assume the privileged role and call organizations:CreateAccount - without granting broader administrative access.
Why the distractors are wrong:
- Option B references delegated administration for Organizations, which is designed for services like AWS Config or Security Hub - not for programmatically creating new accounts via the Organizations API from an arbitrary account.
- Option C (while similar to A) likely includes an incorrect or overly broad permission set, or misidentifies where the role/trust relationship should be established, making it functionally flawed.
- Option D introduces AWS Control Tower, which is an account governance service and adds unnecessary complexity - the question only requires the ability to create accounts in Organizations, not full Control Tower lifecycle management.
Memory Tip: Think "cross-account = assume role" - whenever you move a function that calls a privileged API in another account, the answer almost always involves an IAM role with a trust policy in the target privileged account (management account) that the Lambda in the new account can assume. Keep it simple and targeted.
Topics
Community Discussion
No community discussion yet for this question.