Topic 1 Question 250
A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company’s IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.
The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role, the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.
Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?
Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
Create an SCP that grants permissions to the top-level account.
Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: C
Cross account role.
👍 1Bachhu2025/01/02 - 正解だと思う選択肢: A
A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
Explanation: The IAM role in the top-level account is created to allow read-only access to specific CloudTrail logs. To allow an IAM user in a business unit account to access the logs, the user must assume the role in the top-level account. An IAM policy must be attached to the IAM user in the business unit account, allowing them to assume the role using the role's Amazon Resource Name (ARN).
👍 1AWSLoverLoverLoverLoverLover2025/02/21
シャッフルモード