Examice

Exam SAA-C03 All QuestionsBrowse all questions from this exam

Question 870

A company has two AWS accounts: Production and Development. The company needs to push code changes in the Development account to the Production account. In the alpha phase, only two senior developers on the development team need access to the Production account. In the beta phase, more developers will need access to perform testing.

Which solution will meet these requirements?

Create two policy documents by using the AWS Management Console in each account. Assign the policy to developers who need access.

Create an IAM role in the Development account. Grant the IAM role access to the Production account. Allow developers to assume the role.

Create an IAM role in the Production account. Define a trust policy that specifies the Development account. Allow developers to assume the role.

Create an IAM group in the Production account. Add the group as a principal in a trust policy that specifies the Production account. Add developers to the group.

Correct Answer: C

To meet the requirement of allowing only two senior developers from the Development account to access the Production account initially, and then more developers later, the best solution is to create an IAM role in the Production account. This role should have a trust policy that specifies the Development account as a trusted entity. By using this method, developers in the Development account can assume the role to access resources in the Production account. This approach provides fine-grained control over who can access the Production account by managing the trust relationship and role policies efficiently.

Discussion

f07ed8fOption: C

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

802c4ffOption: C

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Mayank0502Option: D

answer should be D

TwinSparkOption: D

Weird question, but D is actually the only one that allow you to select which developer got access and when, so will go for D

KennethNg923

Agree, as C will let any developers assume the role without control

KennethNg923

I check here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html, and yes it should be use IAM role, I correct my choice to C

03beafcOption: A

you can't assign groups as principals, b and c don't specify only the senior devs, a is the only one that works here

03beafc

edit, none of these answers are right....

Mikado211Option: D

If you want ALL the developers to assume the role in the production, then C using a trust policy to assume the role in production is perfect BUT You could allow users in development account to assume the role in production, but in the end you will maintain potentially a big trust policy depending of the total number of users. Here you want only some developers to connect to the production (others will follow without knowing if they all can connect and without knowing the number) so managing a separate group will give you a little more maintenance but will allow you to have different rights between the users. I'd say D

xBUGxOption: D

i think D is better