Exam AWS Certified Cloud Practitioner CLF-C02 topic 1 question 98 discussion

A. IAM group: Containers for IAM users. They are used to simplify the management of IAM policies by allowing you to attach policies to a group and automatically apply those policies to all users in the group. However, IAM groups are not directly used for cross-account access. B. IAM role: Are used to delegate permissions to users, applications, or services. In the context of cross-account access, you can create an IAM role in the target account and define policies that grant access to the necessary resources. Users in the source account can assume the role to access resources in the target account. IAM roles are commonly used for cross-account access scenarios. C. IAM tag: Are metadata that you can assign to IAM users, groups, roles, and policies. While tags are useful for organizing and managing resources, they are not the primary mechanism for granting cross-account access. D. IAM Access Analyzer: A tool that helps identify resources that are shared with an external entity or are publicly accessible. It is used for analyzing access across accounts, but not specifically for setting up cross-account access.

B. IAM role: Are used to delegate permissions to users, applications, or services. In the context of cross-account access, you can create an IAM role in the target account and define policies that grant access to the necessary resources. Users in the source account can assume the role to access resources in the target account. IAM roles are commonly used for cross-account access scenarios.

B. IAM role

Group beacuse of users,

Should Be A. Because we are talking about USERS and not a USER.

Since there are many users that need access, shouldn't a group be created and include those users in the group and then grant to the group the role?

I think it is also better for the trusted account to use STS AssumeRole API call to assume the role with temporary credentials

B. IAM role: Are used to delegate permissions to users, applications, or services. In the context of cross-account access, you can create an IAM role in the target account and define policies that grant access to the necessary resources. Users in the source account can assume the role to access resources in the target account. IAM roles are commonly used for cross-account access scenarios.

"You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account."

B. IAM Role

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

IAM role

IAM Role