How to allow an IAM user in Account A to assume a role in Account B in an AWS organization

0

A company is using AWS Organizations with a multi-account architecture. The company's current security configuration for the account architecture includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies.

A solutions architect needs to allow an IAM user in Account A to assume a role in Account B.

Which combination of steps must the solutions architect take to meet this requirement? (Choose three.)

A. Configure the SCP for Account A to allow the action. Most Voted

B. Configure the resource-based policies to allow the action.

C. Configure the identity-based policy on the user in Account A to allow the action.

D. Configure the identity-based policy on the user in Account B to allow the action.

E. Configure the trust policy on the target role in Account B to allow the action.

F. Configure the session policy to allow the action and to be passed programmatically by the GetSessionToken API operation.

1 Answer
1
Accepted Answer

To allow an IAM user in Account A to assume a role in Account B within an AWS organization, you need to configure the necessary permissions and trust relationships. The following steps are required:

Configure the identity-based policy on the user in Account A to allow the action.

**Option C: ** The IAM user in Account A needs an identity-based policy that allows them to assume the role in Account B. This policy will use the sts:AssumeRole action and specify the ARN of the role in AccountB.

Configure the trust policy on the target role in Account B to allow the action.

Option E: The role in Account B must have a trust policy that specifies Account A as a trusted entity, allowing users or roles in Account A to assume the role. This is configured using the Principal element in the trust policy.

Configure the SCP for Account A to allow the action.

**Option A: **Service Control Policies (SCPs) can be used to control what actions are allowed across the entire organization or specific accounts. Ensure that the SCP for Account A allows the sts:AssumeRole action. If the SCP restricts this action, it must be adjusted to allow it.

Correct Options:

A. Configure the SCP for Account A to allow the action.

C. Configure the identity-based policy on the user in Account A to allow the action.

E. Configure the trust policy on the target role in Account B to allow the action.

Explanation of Incorrect Options:

B. Configure the resource-based policies to allow the action:

Resource-based policies are typically used to control access to specific resources like S3 buckets, not for cross-account role assumption.

D. Configure the identity-based policy on the user in Account B to allow the action:

The identity-based policy for users in Account B is not relevant here, as the user in Account A needs permission to assume the role.

F. Configure the session policy to allow the action and to be passed programmatically by the GetSessionToken API operation:

Session policies are used to further restrict the permissions of a role during the session. They are not necessary for the basic setup of cross-account role assumption.

EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions