AWS Certified SysOps Administrator SOA-C01 – Question878

A company has a multi-account AWS environment that includes the following:

  • A central identity account that contains all IAM users and groups Several member accounts that contain IAM roles
  • A SysOps administrator must grant permissions for a particular IAM group to assume a role in one of the member accounts.

How should the SysOps administrator accomplish this task?

A.
In the member account, add sts:AssumeRole permissions to the role’s policy. In the identity account, add a trust policy to the group that specifies the account number of the member account.
B. In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.
C. In the member account, add the group Amazon Resource Name (ARN) to the role’s trust policy. In the identity account, add an inline policy to the group with sts:PassRole permissions.
D. In the member account, add the group Amazon Resource Name (ARN) to the role’s inline policy. In the identity account, add a trust policy to the group with sts:AssumeRole permissions.

Correct Answer: A