You are looking to migrate your Development and Test environments to AWS.
You have decided to use separate AWS accounts to host each environment.
You plan to link each account bill to a Management AWS account using Consolidated Billing.
To make sure that you keep within the budget, you would like to implement a way for administrators in the Management account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts.
Identify which of the options will allow you to achieve this goal.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
The scenario here is asking you to give permissions to administrators in the Management account such that they can have access to stop, delete, and terminate the resources in two accounts: Dev and Test.
Tip: Remember that you always create roles in the account whose resources are to be accessed.
In this example, that would be Dev and Test.
Then you create the users in the account who will be accessing the resources and give them that particular role.
In this example, the Management account should create the users.
Option A is incorrect because the Management account IAM user needs to assume roles from the Dev and Test accounts.
The roles should have suitable permissions so that the Management account IAM user can access resources.
Option B is incorrect because the cross-account role should be created in Dev and Test accounts, not in the Management account.
Option C is CORRECT because (a) the cross-account role is created in Dev and Test accounts, and the users are created in the Management account given that role.
Option D is incorrect because consolidated billing does not give access to resources in this fashion.
For more information on cross-account access, please visit the below URL-
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.htmlThe correct answer is A. Create IAM users in the Management account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant Management account access to the resources in the account by inheriting permissions from the Management account.
This option uses IAM roles to grant access to resources in the Dev and Test accounts. By creating IAM users in the Management account with full Admin permissions and cross-account roles in the Dev and Test accounts, you can grant the Management account administrators access to the resources in both accounts.
The cross-account roles in the Dev and Test accounts can inherit permissions from the Management account, which allows for centralized control and management of permissions. This approach is secure as it ensures that access is only granted to the specific resources required, and not all resources in the account.
Option B is incorrect as it gives full Admin permissions to the Dev and Test accounts, which can create security risks and violate the principle of least privilege.
Option C is incorrect because the IAM users in the Management account with "AssumeRole" permissions can only assume the role in the Dev and Test accounts but won't have admin permissions to stop, delete, or terminate resources.
Option D is also incorrect because Consolidated Billing only consolidates billing information, and it doesn't grant access to resources in the Dev and Test accounts.
In conclusion, option A is the most appropriate option as it provides granular control over permissions, and it is secure and straightforward to manage.