exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 250 discussion

A company has an organization in AWS Organizations that includes dedicated accounts for each of its business units. The company is collecting all AWS CloudTrail logs from the accounts in a single Amazon S3 bucket in the top-level account. The company’s IT governance team has access to the top-level account. A security engineer needs to allow each business unit to access its own CloudTrail logs.

The security engineer creates an IAM role in the top-level account for each of the other accounts. For each role, the security engineer creates an IAM policy to allow read-only permissions to objects in the S3 bucket with the prefix of the respective logs.

Which action must the security engineer take in each business unit account to allow an IAM user in that account to read the logs?

  • A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
  • B. Create an SCP that grants permissions to the top-level account.
  • C. Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role’s ARN in the policy.
  • D. Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
woonsi
2 days, 9 hours ago
Selected Answer: A
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/BusinessUnitLogsAccess" } ] }
upvoted 1 times
woonsi
2 days, 9 hours ago
🎯 Here’s why: The goal is to let IAM users in each business unit account access only their own logs in the centralized S3 bucket (located in the top-level account). The IAM roles in the top-level account have the necessary permissions on the S3 bucket, but those roles belong to the top-level account — users in business unit accounts need a way to “borrow” that access. 👉 To achieve this cross-account access: 1. The top-level account must define a role with an “assume role” trust policy allowing the business unit account to assume it. 2. Each business unit account must grant its users permission to assume the role in the top-level account — this is done via an IAM user policy. A typical IAM user policy in the business unit account might look like this:
upvoted 1 times
...
...
AWSLoverLoverLoverLoverLover
3 weeks, 3 days ago
Selected Answer: A
A. Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role’s ARN in the policy. Explanation: The IAM role in the top-level account is created to allow read-only access to specific CloudTrail logs. To allow an IAM user in a business unit account to access the logs, the user must assume the role in the top-level account. An IAM policy must be attached to the IAM user in the business unit account, allowing them to assume the role using the role's Amazon Resource Name (ARN).
upvoted 1 times
...
Bachhu
2 months, 2 weeks ago
Selected Answer: C
Cross account role.
upvoted 1 times
Bachhu
2 months ago
It’s A.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago