SOA-C03 · Question #147
SOA-C03 Question #147: Real Exam Question with Answer & Explanation
The correct answer is B: In the member account, add the group Amazon Resource Name (ARN) to the role's trust policy.. Cross-account role assumption requires two explicit permissions. AWS CloudOps documentation states that the target role must trust the principal, and the principal must be allowed to call In the member account, the role's trust policy must list the IAM group ARN (or the identity
Question
A company has a multi-account AWS environment that includes the following: - A central identity account that contains all IAM users and groups - Several member accounts that contain IAM roles A SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts. How should the SysOps administrator accomplish this task?
Options
- AIn the member account, add sts:AssumeRole permissions to the role's policy. In the identity
- BIn the member account, add the group Amazon Resource Name (ARN) to the role's trust policy.
- CIn the member account, add the group Amazon Resource Name (ARN) to the role's trust policy.
- DIn the member account, add the group Amazon Resource Name (ARN) to the role's inline policy.
Explanation
Cross-account role assumption requires two explicit permissions. AWS CloudOps documentation states that the target role must trust the principal, and the principal must be allowed to call In the member account, the role's trust policy must list the IAM group ARN (or the identity account) as a trusted principal. In the identity account, the IAM group must have an inline or attached policy that allows the sts:AssumeRole action for the target role ARN. This dual configuration enables secure and controlled cross-account access.
Community Discussion
No community discussion yet for this question.