Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 247

A company uses an organization in AWS Organizations to manage its AWS accounts. The company's DevOps team has developed an AWS Lambda function that calls the Organizations API to create new AWS accounts.

The Lambda function runs in the organization's management account. The DevOps team needs to move the Lambda function from the management account to a dedicated AWS account. The DevOps team must ensure that the Lambda function has the ability to create new AWS accounts only in Organizations before the team deploys the Lambda function to the new account.

Which solution will meet these requirements?

In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda execution role in the new AWS account. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.

In the management account, turn on delegated administration for Organizations. Create a new delegation policy that grants the new AWS account permission to create new AWS accounts in Organizations. Ensure that the Lambda execution role has the organizations:CreateAccount permission.

In the management account, create a new IAM role that has the necessary permission to create new accounts in Organizations. Allow the role to be assumed by the Lambda service principal. Update the Lambda function code to assume the role when the Lambda function creates new AWS accounts. Update the Lambda execution role to ensure that it has permission to assume the new role.

In the management account, enable AWS Control Tower. Turn on delegated administration for AWS Control Tower. Create a resource policy that allows the new AWS account to create new AWS accounts in AWS Control Tower. Update the Lambda function code to use the AWS Control Tower API in the new AWS account. Ensure that the Lambda execution role has the controltower:CreateManagedAccount permission.

Correct Answer: A

Moving the Lambda function to a new AWS account requires the function to retain the necessary permissions to create new AWS accounts within AWS Organizations. This can be done by creating a new IAM role in the management account with the required permissions and configuring the Lambda function to assume this role. By allowing the role to be assumed by the Lambda execution role in the new AWS account and updating the Lambda function to assume the role when it needs to create new accounts, you ensure that the function can perform its tasks with the appropriate permissions. This solution ensures that permissions remain centralized and secure, fulfilling the requirement effectively.

Discussion

trungtdOption: A

- Create IAM Role in Management Account: include actions like "organizations:CreateAccount" - Allow Role Assumption: specifying the ARN of the Lambda execution role in the new account in the trust policy of the IAM role. - Using the AWS SDK to assume the role and get temporary credentials in Lambda's code - Ensure that the Lambda execution role in the new account has the necessary permissions to assume the IAM role created in the management account.

tgv

---> A