A company has two AWS accounts: Production and Development. The company needs to push code changes in the Development account to the Production account. In the alpha phase, only two senior developers on the development team need access to the Production account. In the beta phase, more developers will need access to perform testing.
Which solution will meet these requirements?
To meet the requirement of allowing only two senior developers from the Development account to access the Production account initially, and then more developers later, the best solution is to create an IAM role in the Production account. This role should have a trust policy that specifies the Development account as a trusted entity. By using this method, developers in the Development account can assume the role to access resources in the Production account. This approach provides fine-grained control over who can access the Production account by managing the trust relationship and role policies efficiently.
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
i think D is better
If you want ALL the developers to assume the role in the production, then C using a trust policy to assume the role in production is perfect BUT You could allow users in development account to assume the role in production, but in the end you will maintain potentially a big trust policy depending of the total number of users. Here you want only some developers to connect to the production (others will follow without knowing if they all can connect and without knowing the number) so managing a separate group will give you a little more maintenance but will allow you to have different rights between the users. I'd say D
you can't assign groups as principals, b and c don't specify only the senior devs, a is the only one that works here
edit, none of these answers are right....
Weird question, but D is actually the only one that allow you to select which developer got access and when, so will go for D
Agree, as C will let any developers assume the role without control
I check here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html, and yes it should be use IAM role, I correct my choice to C
answer should be D