AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
AnyCompany utilizes AWS Organizations for managing multiple AWS accounts. Upon acquiring Example Corp, the latter's AWS account was integrated into AnyCompany's management account via an Organizations invitation. The new member account was subsequently placed under an Organizational Unit (OU) specifically designated for Example Corp. A DevOps engineer at AnyCompany possesses an IAM user that assumes the role of OrganizationAccountAccessRole to access member accounts, which is configured with a policy granting full access. However, when attempting to assume this role in Example Corp's new member account through the AWS Management Console, the engineer encounters an error message stating, "Invalid information in one or more fields. Check your information or contact your administrator." What corrective action should be taken to enable the DevOps engineer to access Example Corp's new member account?
Explanation:
The correct answer is C. When a member account is invited to join an AWS Organization, it does not automatically receive an OrganizationAccountAccessRole. This role must be created manually. The recommended action is to create a new IAM role named OrganizationAccountAccessRole in the new member account, attach the AdministratorAccess AWS managed policy to this role, and update the role's trust policy to grant the management account permission to assume the role. This setup essentially duplicates the role automatically created for accounts that are directly created within the organization.