Exam AWS Certified SysOps Administrator - Associate topic 1 question 191 discussion

Correct answers are A and E. The combination of option B and D also works, but the best practice is using an IAM user, not the root user. https://docs.aws.amazon.com/awssupport/latest/user/changing-support-plans.html https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

I think its B and D. When a new account joins organizations, it creates a new temp root password and you will be prompted to change it when logging in for the first time. "When you create a new account, AWS Organizations initially assigns a password to the root user that is a minimum of 64 characters long. All characters are randomly generated with no guarantees on the appearance of certain character sets. You can't retrieve this initial password. To access the account as the root user for the first time, you must go through the process for password recovery."

Ok after extensive research and running this through three different AIs it is definitely B & D. To add AWS Business Support to the new account, You HAVE to be logged in as the root user. Admin will not work.

Answer is A and D. When using Organizations, use of root account to manager member accounts is not recommended. It should be accessed using non-root IAM user having appropriate permissions. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html "New accounts you create in Organizations have no root user credentials by default."

how can you pick D: This step is unnecessary unless the root user credentials are lost. It is not a prerequisite to upgrading the support plan.

A & B: Changing the AWS Support plan requires administrative-level access. The root user has unrestricted access to manage account-level settings, including billing and support plans. AWS recommends using the root user credentials only when performing account setup tasks like upgrading the support plan.If an IAM user with the appropriate "aws-portal:ModifyAccount" or billing permissions exists, they can also upgrade the support plan. This approach aligns with the principle of least privilege by avoiding root user usage whenever possible.If an administrator IAM user already exists, they can perform the necessary actions. Creating a new IAM user is unrelated to the support plan upgrade process.

First, lets have the Admin user created via "option E" and then lets get signed in via that newly admin user and have the support plan changed by that admin user. Hence, this combination follows one of the security best practices by performing the operations via least privileged access.

I will go with BD as well. Upon my research, you don't need administrator access on a IAM user in order to change the support plan, so A and E are out of question because you are ignoring the least privilege principle. Regarding the AWS Support API, this is used to open cases and other actions related to support and NOT to change the support plan. So in this scenario it would be the best practice to login as root to change the support plan and change the password.

going with A and E

An IAM user with correct permissions or the root user can change support plans, so option B would work. However, the question says to choose a combination of steps, 2 answers. Therefore I think E and A are correct.

A and E

To add AWS Business Support to a new member account in AWS Organizations, you need to perform the following steps: Sign in as the Root User: Sign in to the new account using the root user credentials. Change Support Plan: After signing in as the root user, navigate to the AWS Support Center. Change the support plan to AWS Business Support. Create IAM User (Optional): Optionally, to enhance security and follow best practices, create an IAM user with administrator privileges. Use the IAM user for day-to-day operations instead of relying on the root user. Options A and C are incorrect:

create an IAM user that has administrator privileges in the new account. Sign in to the new account by using IAM credentials. Change the support plan. https://docs.aws.amazon.com/awssupport/latest/user/changing-support-plans.html https://docs.aws.amazon.com/awssupport/latest/user/security-support-plans.html

I''ll give some tips: A: you can't change plan with basic user C: Support plan not has an API E: Not is necessary for change support plan So you need access as root user, maybe if you don't have the password you maybe need reset password

As per the link from @ Christina666 To change your support plan, you must have AWS Identity and Access Management (IAM) permissions or sign in to your account as a root user..

It is a tricky question. Support plan can be changed by root account or if you have enough IAM permissions. https://docs.aws.amazon.com/awssupport/latest/user/changing-support-plans.html We need to provide a COMBINATION of actions. So we can either update Support plan with root account or we can create new IAM user with admin access and update Support plan with it. Creating new IAM user with admin access doesn't make sense if you have already updated Support plan with your root account. I vote for AE.

B. sign in with credential < root account to change other user's config. E. create user with root privilege