Topic 1 Question 247
A company uses an organization in AWS Organizations to manage its AWS accounts. The company's DevOps team has developed an AWS Lambda function that calls the Organizations API to create new AWS accounts.
The Lambda function runs in the organization's management account. The DevOps team needs to move the Lambda function from the management account to a dedicated AWS account. The DevOps team must ensure that the Lambda function has the ability to create new AWS accounts only in Organizations before the team deploys the Lambda function to the new account.
Which solution will meet these requirements?
In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
In the management account, turn on delegated administration for Organizations. Create a new delegation policy that grants the new AWS account permission to create new AWS accounts in Organizations. Ensure that the Lambda execution role has the organizations:CreateAccount permission.
In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda service principal. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.
In the management account, enable AWS Control Tower. Turn on delegated administration for AWS Control Tower. Create a resource policy that allows the new AWS account to create new AWS accounts in AWS Control Tower. Update the Lambda function code to use the AWS Control Tower API in the new AWS account. Ensure that the Lambda execution role has the controltower:CreateManagedAccount permission.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: A
Create an IAM Role with Necessary Permissions:
- In the management account, create an IAM role with permissions to call the AWS Organizations API for creating new accounts.
Allow Role Assumption: - Configure this IAM role to be assumable by the Lambda execution role in the new AWS account. This way, the Lambda function in the new account can assume the role to gain the necessary permissions.
Update Lambda Function and Execution Role:
- Modify the Lambda function code in the new account to assume the role created in the management account when it needs to create new AWS accounts. Also, ensure the Lambda execution role in the new account has the permissions required to assume the role in the management account.
👍 5jamesf2024/07/30 - 正解だと思う選択肢: A
- Create IAM Role in Management Account: include actions like "organizations:CreateAccount"
- Allow Role Assumption: specifying the ARN of the Lambda execution role in the new account in the trust policy of the IAM role.
- Using the AWS SDK to assume the role and get temporary credentials in Lambda's code
- Ensure that the Lambda execution role in the new account has the necessary permissions to assume the IAM role created in the management account.
👍 4trungtd2024/07/14 - 正解だと思う選択肢: A
A for me
👍 3[Removed]2024/08/20
シャッフルモード