ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 52 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 52
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses AWS Organization to manage 50 AWS accounts. The finance staff members log in as AWS IAM users in the FinanceDept AWS account. The staff members need to read the consolidated billing information in the MasterPayer AWS account. They should not be able to view any other resources in the
MasterPayer AWS account. IAM access to billing has been enabled in the MasterPayer account.
Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

  • A. Create an IAM group for the finance users in the FinanceDept account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
  • B. Create an IAM group for the finance users in the MasterPayer account, then attach the AWS managed ReadOnlyAccess IAM policy to the group.
  • C. Create an AWS IAM role in the FinanceDept account with the ViewBilling permission, then grant the finance users in the MasterPayer account the permission to assume that role.
  • D. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by ugreenhost at Sept. 6, 2019, 8:18 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Osemk
Highly Voted 3 years, 7 months ago
D is the correct answer
upvoted 28 times
...
durmusc
Highly Voted 3 years, 5 months ago
Answer is D. Beware the trick in C : It will not be "FinanceDept" it will be "MasterPayer" account.
upvoted 8 times
...
habros
Most Recent 4 months, 1 week ago
Selected Answer: D
Assume role for cross account in this case
upvoted 1 times
...
ITGURU51
1 year, 11 months ago
The permissions for the IAM role must be provisioned in the MasterPayer account with viewbilling permission. Then grant the FinanceDept the ability to assume the role. D
upvoted 1 times
...
dcasabona
2 years, 9 months ago
Selected Answer: D
D is my option.
upvoted 2 times
ITGURU51
1 year, 11 months ago
The account that will be configured to assume the role is the account that needs access to the shared resources. The account that owns the shared resources is the account that defines the trust policy that specifies which accounts are allowed to assume the role and what permissions are granted to them.
upvoted 2 times
...
...
mongiam
3 years ago
Selected Answer: D
D. Create an AWS IAM role in the MasterPayer account with the ViewBilling permission, then grant the finance users in the FinanceDept account the permission to assume that role.
upvoted 3 times
...
munish3420
3 years, 5 months ago
D is correct answer because of two reasons: One its secure , when any user or service assume role - STS provide temp credentials in the backend and it expires after sometime C is not correct because you have to create the role in target and user/service has to assume to access the target A is wrong obviously because user need access in master account B is wrong because every time user has to login to master account, it easy for user to keep logged in single account and access other account by assuming a role and it does not provide long term credentials to users
upvoted 3 times
...
sanjaym
3 years, 5 months ago
Ans: D 100%
upvoted 5 times
...
dishu2511
3 years, 5 months ago
D is the right answer
upvoted 1 times
...
NANDY666
3 years, 6 months ago
D is Correct
upvoted 1 times
...
Stpn2me
3 years, 6 months ago
Looks like D to me.
upvoted 1 times
...
devjava
3 years, 6 months ago
Ans > D
upvoted 1 times
...
AfricanCloudGuru
3 years, 6 months ago
Ans(D)
upvoted 3 times
...
PeppaPig
3 years, 6 months ago
D is correct. Standard configuration of Cross-account access control
upvoted 3 times
...
halfdeaf
3 years, 6 months ago
D should be the correct answer. The question clearly mentions that the IAM users are part of the finance account. When you switch role, the destination account is where you need to create the role that can be assumed when switching into the respective account. Moreover it's consolidated billing, and there are around 50 accounts so it's easy to switch to the master account to see the entire billing data.
upvoted 2 times
...
gfhbox0083
3 years, 6 months ago
D, for sure
upvoted 3 times
...
RaySmith
3 years, 6 months ago
D is correct
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago