Question #838
A company utilizes AWS Organizations with a multi-account architecture. The current security setup includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies. A solutions architect must enable an IAM user in Account X to assume a role in Account Y. Which combination of steps should the solutions architect take to fulfill this requirement? (Choose three.)
Configure the SCP for Account X to permit the action.
Configure the resource-based policies in Account Y to permit the action.
Configure the identity-based policy on the user in Account X to permit the action.
Configure the identity-based policy on the role in Account Y to permit the action.
Configure the trust policy on the target role in Account Y to permit the action.
Configure a session policy to delegate permissions via the GetFederationToken API operation.
Explanation
To enable an IAM user in Account X to assume a role in Account Y:
- A: Service Control Policies (SCPs) in AWS Organizations can block actions even if other policies allow them. The SCP in Account X must permit the sts:AssumeRole action.
- C: The IAM user in Account X needs an identity-based policy granting permission to assume the role in Account Y (e.g., via sts:AssumeRole).
- E: The role in Account Y must have a trust policy allowing the IAM user/Account X to assume it.
Why others are incorrect:
- B: Resource-based policies (e.g., S3 bucket policies) are unrelated to IAM role assumption.
- D: The role's identity-based policy defines its permissions post-assumption, not cross-account access.
- F: Session policies apply to temporary credentials via GetFederationToken, not role assumption.
Key Points: Cross-account access requires permissions in the source account (SCP + user policy) and a trust relationship in the target account (role trust policy).
Answer
The correct answer is: ACE