AWS Certified Solutions Architect - Professional / Question #838 of 529

Question #838

A company utilizes AWS Organizations with a multi-account architecture. The current security setup includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies. A solutions architect must enable an IAM user in Account X to assume a role in Account Y. Which combination of steps should the solutions architect take to fulfill this requirement? (Choose three.)

A

Configure the SCP for Account X to permit the action.

B

Configure the resource-based policies in Account Y to permit the action.

C

Configure the identity-based policy on the user in Account X to permit the action.

D

Configure the identity-based policy on the role in Account Y to permit the action.

E

Configure the trust policy on the target role in Account Y to permit the action.

F

Configure a session policy to delegate permissions via the GetFederationToken API operation.

Explanation

To enable an IAM user in Account X to assume a role in Account Y:

- A: Service Control Policies (SCPs) in AWS Organizations can block actions even if other policies allow them. The SCP in Account X must permit the sts:AssumeRole action.
- C: The IAM user in Account X needs an identity-based policy granting permission to assume the role in Account Y (e.g., via sts:AssumeRole).
- E: The role in Account Y must have a trust policy allowing the IAM user/Account X to assume it.

Why others are incorrect:
- B: Resource-based policies (e.g., S3 bucket policies) are unrelated to IAM role assumption.
- D: The role's identity-based policy defines its permissions post-assumption, not cross-account access.
- F: Session policies apply to temporary credentials via GetFederationToken, not role assumption.

Key Points: Cross-account access requires permissions in the source account (SCP + user policy) and a trust relationship in the target account (role trust policy).

Answer

The correct answer is: ACE