A company is using AWS Organizations with multiple accounts. The Security team wants to centrally manage IAM roles that can be assumed by users in member accounts. Which solution should be used to enforce that only specific roles can be assumed across accounts, while ensuring that the policy updates are automatically applied to all accounts?
Trap 1: Create an IAM role in each member account with a trust policy that…
CloudFormation StackSets can deploy roles, but updates require re-deployment; not automatically enforced.
Trap 2: Use AWS Single Sign-On (SSO) to assign permissions to users across…
AWS SSO manages user access, not IAM role restrictions.
Trap 3: Create a resource-based policy on each IAM role in the member…
Resource-based policies are per-account and not centrally managed.
- A
Create an IAM role in each member account with a trust policy that allows the Security account, and use AWS CloudFormation StackSets to deploy the roles.
Why wrong: CloudFormation StackSets can deploy roles, but updates require re-deployment; not automatically enforced.
- B
Use AWS Single Sign-On (SSO) to assign permissions to users across accounts.
Why wrong: AWS SSO manages user access, not IAM role restrictions.
- C
Create an IAM role in the Security account with a trust policy that references a service control policy (SCP) in AWS Organizations.
SCPs can restrict IAM actions across accounts, and the trust policy can reference the SCP to enforce central control.
- D
Create a resource-based policy on each IAM role in the member accounts that allows the Security account to assume the role.
Why wrong: Resource-based policies are per-account and not centrally managed.