- Newest
- Most votes
- Most comments
To allow an IAM user in Account A to assume a role in Account B within an AWS organization, you need to configure the necessary permissions and trust relationships. The following steps are required:
Configure the identity-based policy on the user in Account A to allow the action.
**Option C: ** The IAM user in Account A needs an identity-based policy that allows them to assume the role in Account B. This policy will use the sts:AssumeRole action and specify the ARN of the role in AccountB.
Configure the trust policy on the target role in Account B to allow the action.
Option E: The role in Account B must have a trust policy that specifies Account A as a trusted entity, allowing users or roles in Account A to assume the role. This is configured using the Principal element in the trust policy.
Configure the SCP for Account A to allow the action.
**Option A: **Service Control Policies (SCPs) can be used to control what actions are allowed across the entire organization or specific accounts. Ensure that the SCP for Account A allows the sts:AssumeRole action. If the SCP restricts this action, it must be adjusted to allow it.
Correct Options:
A. Configure the SCP for Account A to allow the action.
C. Configure the identity-based policy on the user in Account A to allow the action.
E. Configure the trust policy on the target role in Account B to allow the action.
Explanation of Incorrect Options:
B. Configure the resource-based policies to allow the action:
Resource-based policies are typically used to control access to specific resources like S3 buckets, not for cross-account role assumption.
D. Configure the identity-based policy on the user in Account B to allow the action:
The identity-based policy for users in Account B is not relevant here, as the user in Account A needs permission to assume the role.
F. Configure the session policy to allow the action and to be passed programmatically by the GetSessionToken API operation:
Session policies are used to further restrict the permissions of a role during the session. They are not necessary for the basic setup of cross-account role assumption.
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago