Answer-first summary for fast verification
Answer: In the new member account, create a new IAM role named OrganizationAccountAccessRole. Attach the AdministratorAccess AWS managed policy to this role. In the role's trust policy, grant the management account permission to assume the role.
The correct answer is C. When a member account is invited to join an AWS Organization, it does not automatically receive an OrganizationAccountAccessRole. This role must be created manually. The recommended action is to create a new IAM role named OrganizationAccountAccessRole in the new member account, attach the AdministratorAccess AWS managed policy to this role, and update the role's trust policy to grant the management account permission to assume the role. This setup essentially duplicates the role automatically created for accounts that are directly created within the organization.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
AnyCompany utilizes AWS Organizations for managing multiple AWS accounts. Upon acquiring Example Corp, the latter's AWS account was integrated into AnyCompany's management account via an Organizations invitation. The new member account was subsequently placed under an Organizational Unit (OU) specifically designated for Example Corp. A DevOps engineer at AnyCompany possesses an IAM user that assumes the role of OrganizationAccountAccessRole to access member accounts, which is configured with a policy granting full access. However, when attempting to assume this role in Example Corp's new member account through the AWS Management Console, the engineer encounters an error message stating, "Invalid information in one or more fields. Check your information or contact your administrator." What corrective action should be taken to enable the DevOps engineer to access Example Corp's new member account?
A
In the management account, grant the DevOps engineer's IAM user permission to assume the OrganizationAccountAccessRole IAM role in the new member account.
B
In the management account, create a new Service Control Policy (SCP). Within the SCP, grant the DevOps engineer's IAM user full access to all resources in the new member account. Attach the SCP to the OU containing the new member account.
C
In the new member account, create a new IAM role named OrganizationAccountAccessRole. Attach the AdministratorAccess AWS managed policy to this role. In the role's trust policy, grant the management account permission to assume the role.
D
In the new member account, edit the trust policy for the existing OrganizationAccountAccessRole IAM role. Update the trust policy to grant the management account permission to assume the role.