Which combination of steps must the company perform to meet this requirement?

A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization’s AWS account.

Which combination of steps must the company perform to meet this requirement? (Select TWO.)
A . Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.
B . Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.
C . Create a role in the AWS account that contains the resources. Create an entry in the role’s trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.
D . Establish a trust relationship between the IAM user and the AWS account that contains the resources.
E . Create a role in the IAM user’s AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

View Answer

Answer: A C

Explanation:

Option A: Create an identity policy that allows the sts:AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user. This will ensure that the IAM user has the necessary permissions to assume roles in the other account.

Option C: Create a role in the AWS account that contains the resources. Create an entry in the role’s trust policy that allows the IAM user to assume the role. Attach the trust policy to the role. This step is necessary to allow the IAM user from the other account to assume the role in this account.

Explanation of other options:

Option B: This option involves Service Control Policies (SCPs), which are used to define the maximum permissions for account members in AWS Organizations. While ensuring the SCPs allow the sts:AssumeRole action might be necessary, it doesn’t directly allow cross-account role assumption.

Option D: This option seems too vague and doesn’t clearly explain how the trust relationship would be established. Trust relationships are generally established via trust policies, as mentioned in option C.

Option E: This option suggests creating a role in the IAM user’s account and attaching a policy allowing sts:AssumeRole to this role. This wouldn’t be effective since the role that needs to be assumed would be in the other AWS account that contains the resources, not in the IAM user’s own account.