New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DOP-C02 Exam - Topic 7 Question 11 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 11
Topic #: 7
[All DOP-C02 Questions]

AnyCompany is using AWS Organizations to create and manage multiple AWS accounts AnyCompany recently acquired a smaller company, Example Corp. During the acquisition process, Example Corp's single AWS account joined AnyCompany's management account through an Organizations invitation. AnyCompany moved the new member account under an OU that is dedicated to Example Corp.

AnyCompany's DevOps eng*neer has an IAM user that assumes a role that is named OrganizationAccountAccessRole to access member accounts. This role is configured with a full access policy When the DevOps engineer tries to use the AWS Management Console to assume the role in Example Corp's new member account, the DevOps engineer receives the following error message "Invalid information in one or more fields. Check your information or contact your administrator."

Which solution will give the DevOps engineer access to the new member account?

Show Suggested Answer Hide Answer
Suggested Answer: C

The problem is that the DevOps engineer cannot assume the OrganizationAccountAccessRole IAM role in the new member account that joined AnyCompany's management account through an Organizations invitation. The solution is to create a new IAM role with the same name and trust policy in the new member account.

Option A is incorrect, as it does not address the root cause of the error. The DevOps engineer's IAM user already has permission to assume the OrganizationAccountAccessRole IAM role in any member account, as this is the default role name that AWS Organizations creates when a new account joins an organization. The error occurs because the new member account does not have this role, as it was not created by AWS Organizations.

Option B is incorrect, as it does not address the root cause of the error. An SCP is a policy that defines the maximum permissions for account members of an organization or organizational unit (OU). An SCP does not grant permissions to IAM users or roles, but rather limits the permissions that identity-based policies or resource-based policies grant to them. An SCP also does not affect how IAM roles are assumed by other principals.

Option C is correct, as it addresses the root cause of the error. By creating a new IAM role with the same name and trust policy as the OrganizationAccountAccessRole IAM role in the new member account, the DevOps engineer can assume this role and access the account. The new role should have the AdministratorAccess AWS managed policy attached, which grants full access to all AWS resources in the account. The trust policy should allow the management account to assume the role, which can be done by specifying the management account ID as a principal in the policy statement.

Option D is incorrect, as it assumes that the new member account already has the OrganizationAccountAccessRole IAM role, which is not true. The new member account does not have this role, as it was not created by AWS Organizations. Editing the trust policy of a non-existent role will not solve the problem.


by Graciela at Sep 01, 2023, 01:14 PM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jaime
3 months ago
Really? I’m surprised this is even an issue. Shouldn't access be straightforward?
upvoted 0 times
...
Nieves
3 months ago
Totally agree with A! Simple and effective solution.
upvoted 0 times
...
Kaitlyn
4 months ago
Wait, why not just create a new role? C sounds like overkill.
upvoted 0 times
...
Selma
4 months ago
I think D makes more sense, though. Trust policies are crucial.
upvoted 0 times
...
Regenia
4 months ago
A is the way to go! Granting permission is key.
upvoted 0 times
...
Carmen
4 months ago
I think I read that the OrganizationAccountAccessRole is automatically created, so maybe we just need to adjust its trust policy as mentioned in option D? That seems like a straightforward fix.
upvoted 0 times
...
Talia
4 months ago
I’m a bit confused about the difference between SCPs and IAM roles. I thought SCPs were more about restricting access, but I can't recall if they can grant permissions like in option B.
upvoted 0 times
...
Alba
5 months ago
This question feels similar to one we practiced where we had to adjust permissions for cross-account access. I think option D might be the right choice since it mentions editing the trust policy.
upvoted 0 times
...
Ngoc
5 months ago
I remember something about IAM roles and trust policies from my study sessions, but I'm not entirely sure how they apply here.
upvoted 0 times
...
Audria
5 months ago
This looks like a pretty straightforward BGP import policy question. I'll need to carefully read through the policy statement and understand how the prefix lists are being used.
upvoted 0 times
...
Kerry
5 months ago
This question seems straightforward, I think the answer is B. Reverse DNS stores the hostname in the PTR record for the IP address.
upvoted 0 times
...
Lucina
5 months ago
Manually removing powerball.com from the gambling URL category seems like a risky approach. What if the category gets updated in the future? I'd rather use a more robust solution like adding the URL to an allow rule or creating a custom category.
upvoted 0 times
...
Hortencia
5 months ago
Hmm, this seems like it could be a tricky one. I'm going to read through the question and answer choices a few times to make sure I understand the core issue before selecting an answer.
upvoted 0 times
...
Tiffiny
5 months ago
Wait, is it port 123? Or was it something else... Ugh, I'm drawing a blank here. I need to review my networking notes to be sure.
upvoted 0 times
...

Save Cancel