Question #920
A financial institution uses AWS Organizations to manage its accounts. A solutions architect uses the IAM user AdminUser from the management account to create a new member account for a loan processing system, using loans@example.com as the email. What should the architect do to create IAM groups in the new member account?
Sign in to the AWS Management Console using the root user credentials of the new account, obtained via the initial email sent to loans@example.com, and create the IAM groups.
From the management account, switch roles to assume the OrganizationAccountAccessRole in the new member account using its account ID, then create the IAM groups.
Use the management account's root user credentials to sign in to the new account's console and create the groups.
Access the new account's console by signing in with the AdminUser IAM credentials and the new account's ID, then create the groups.
Explanation
Answer B is correct because AWS Organizations automatically provisions the OrganizationAccountAccessRole in new member accounts, which grants administrative access. The AdminUser from the management account can assume this role (using the new account's ID) to create IAM groups without needing root credentials or direct IAM user access to the member account.
Why other options are incorrect:
- A: Using root credentials is discouraged and requires access to the email associated with the new account.
- C: Management account root credentials cannot directly access member accounts.
- D: IAM users are account-specific; AdminUser cannot log into another account directly.
Key Points:
1. OrganizationAccountAccessRole is auto-created in new member accounts.
2. Cross-account access requires role assumption.
3. Root/IAM users are not shared across accounts.
Answer
The correct answer is: B