Answer-first summary for fast verification
Answer: Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account., In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group.
The correct set of actions includes: (1) Creating a SysAdmin role in each workload account and attaching the AdministratorAccess policy to it, while modifying the trust relationship to allow the sts:AssumeRole action from the operations account (Option B). This ensures the operations team can assume the role and have admin access in the workload accounts. (2) Creating an IAM user group named SysAdmins in the operations account, and adding an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account, then adding all operations team members to this group (Option E). This setup allows centralized management and consistent access control as required, without creating individual users in the workload accounts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company manages its AWS environment through AWS Organizations, with multiple workload accounts hosting enterprise applications. User management is centralized in an operations account, and no user creation is allowed in the workload accounts. The company has introduced a new operations team that requires administrator access to all workload accounts. What set of actions should be implemented to grant the operations team members the necessary access?
A
Create a SysAdmin role in the operations account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the workload accounts.
B
Create a SysAdmin role in each workload account. Attach the AdministratorAccess policy to the role. Modify the trust relationship to allow the sts:AssumeRole action from the operations account.
C
Create an Amazon Cognito identity pool in the operations account. Attach the SysAdmin role as an authenticated role.
D
In the operations account, create an IAM user for each operations team member.
E
In the operations account, create an IAM user group that is named SysAdmins. Add an IAM policy that allows the sts:AssumeRole action for the SysAdmin role in each workload account. Add all operations team members to the group.