ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 147 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 147
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

AnyCompany is using AWS Organizations to create and manage multiple AWS accounts. AnyCompany recently acquired a smaller company, Example Corp. During the acquisition process, Example Corp's single AWS account joined AnyCompany's management account through an Organizations invitation. AnyCompany moved the new member account under an OU that is dedicated to Example Corp.

AnyCompany's DevOps engineer has an IAM user that assumes a role that is named OrganizationAccountAccessRole to access member accounts. This role is configured with a full access policy. When the DevOps engineer tries to use the AWS Management Console to assume the role in Example Corp's new member account, the DevOps engineer receives the following error message: "Invalid information in one or more fields. Check your information or contact your administrator."

Which solution will give the DevOps engineer access to the new member account?

  • A. In the management account, grant the DevOps engineer's IAM user permission to assume the OrganizationAccountAccessRole IAM role in the new member account.
  • B. In the management account, create a new SCP. In the SCP, grant the DevOps engineer's IAM user full access to all resources in the new member account. Attach the SCP to the OU that contains the new member account.
  • C. In the new member account, create a new IAM role that is named OrganizationAccountAccessRole. Attach the AdministratorAccess AWS managed policy to the role. In the role's trust policy, grant the management account permission to assume the role.
  • D. In the new member account, edit the trust policy for the OrganizationAccountAccessRole IAM role. Grant the management account permission to assume the role.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by vandergun at Nov. 23, 2023, 10 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
radev
Highly Voted 1 year, 5 months ago
Selected Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role
upvoted 6 times
...
thanhnv142
Highly Voted 1 year, 2 months ago
Selected Answer: C
C is correct: <assume the role in Example Corp's new member account> means this role has not been properly configured (or even not created) A: only mention assuming the role, not create it. B: scp has nothing to do here D: only mention create trust relationship
upvoted 6 times
...
AC2021
Most Recent 3 months ago
Selected Answer: D
The role is already there. Why create a new one?
upvoted 2 times
ce0df07
2 months, 2 weeks ago
The role would not be automatically created in accounts that are added through invitation (as opposed to accounts created within the organization).
upvoted 1 times
...
...
Simba84
4 months, 1 week ago
Selected Answer: D
Correct Answer is D Role Trust Policy Issue: When a new account is invited and joins an AWS Organization, the OrganizationAccountAccessRole is typically created automatically. This role allows the management account to access member accounts, but its trust policy must explicitly grant the management account permission to assume the role. If this trust policy is not configured correctly, the management account cannot assume the role, leading to the error message.
upvoted 4 times
ce0df07
2 months, 2 weeks ago
Incorrect. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role "When you create a member account using AWS Organizations, Organizations automatically creates an IAM role in the account that grants administrator access to the management account. For invited member accounts, you must manually create the role."
upvoted 1 times
...
...
eugene2owl
4 months, 3 weeks ago
Selected Answer: C
I've spent like 30 mins, and now I've got the most full explanation. Correct answer is "C" While "D" is NOT FULLY describing what needs to be done (so it's wrong). The thing you need to know to answer this question is the following: * if account is generated (meaning NEW account CREATED) within the Org, then this account will automatically have a proper role "OrganizationAccountAccessRole" * if account is invited (meaning EXISTING account ADDED) to Org, then this account will NOT have such role Question says, that Management Account tries to assume a role called "OrganizationAccountAccessRole" from member account, but it gets an error saying like "there is no such thing which you request". So to fix an error you need: 1) Create a IAM Role "OrganizationAccountAccessRole" in a member account 2) Give it FullAccess Policy 3) Allow Management Account to assume this role via its Trust Relationship
upvoted 5 times
...
hamzaBennis
5 months, 2 weeks ago
member accounts that you invite to join your organization do not automatically get an administrator role created. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create-cross-account-role.html
upvoted 2 times
...
VerRi
5 months, 3 weeks ago
Selected Answer: D
"IAM user that assumes a role that is named OrganizationAccountAccessRole", the role is already there
upvoted 3 times
...
heff_bezos
7 months ago
Selected Answer: D
The question states that the role already exists with full access policy. This role exists in the new member account. We need the IAM user from the management account the ability to assume it.
upvoted 3 times
...
aws_god
7 months, 3 weeks ago
Selected Answer: D
This role is created by default in member accounts. See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
upvoted 2 times
heff_bezos
7 months ago
"By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. By default, that role is named OrganizationAccountAccessRole" https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create-cross-account-role.html
upvoted 1 times
...
...
c3518fc
1 year ago
Selected Answer: C
To create an AWS Organizations administrator role in a member account Sign in to the IAM console at https://console.aws.amazon.com/iam/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the member account. The user or role must have permission to create IAM roles and policies. In the IAM console, navigate to Roles and then choose Create role. Choose AWS account, and then select Another AWS account. Enter the 12-digit account ID number of the management account that you want to grant administrator access to. Under Options, please note the following: On the Add permissions page, choose the AWS managed policy named AdministratorAccess and then choose. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role
upvoted 4 times
...
Andy11234912
1 year ago
Selected Answer: D
not c, the role is already created
upvoted 2 times
Jay_2pt0_1
10 months, 2 weeks ago
From reading the question, I'm not sure.
upvoted 1 times
...
...
sirronido
1 year ago
D.. the role is already created, what is needed is just update the trust policy
upvoted 1 times
...
DanShone
1 year, 1 month ago
C is correct
upvoted 1 times
...
twogyt
1 year, 3 months ago
Selected Answer: C
C is correct
upvoted 4 times
...
zain1258
1 year, 5 months ago
Selected Answer: C
C is correct
upvoted 4 times
...
tom_cat
1 year, 5 months ago
For invited accounts the OrganizationAccountAccessRole needs to be created: Member accounts that you invite to join your organization do not automatically get an administrator role created. You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.
upvoted 2 times
tom_cat
1 year, 5 months ago
So I believe it's C.
upvoted 2 times
...
...
vandergun
1 year, 5 months ago
Selected Answer: A
A should be correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago