SAP-C02 第 233 题
题目
A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts. Which solution will meet this requirement?
中文翻译:
一家公司正在将其开发和生产工作负载迁移到 AWS Organizations 中的新组织。该公司创建了一个用于开发的单独的会员帐户和一个用于生产的单独的会员帐户。合并账单链接到管理帐户。在管理账户中,解决方案架构师需要创建一个 IAM 用户,该用户可以停止或终止两个成员账户中的资源。哪种解决方案可以满足这个要求?
选项
A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
中文翻译:
在管理账户中创建 IAM 用户和跨账户角色。配置对成员账户具有最小权限访问权限的跨账户角色。
B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
中文翻译:
在每个成员账户中创建一个 IAM 用户。在管理账户中,创建具有最小权限访问权限的跨账户角色。使用信任策略授予 IAM 用户对跨账户角色的访问权限。
C. Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
中文翻译:
在管理账户中创建 IAM 用户。在成员账户中,创建具有最小权限访问权限的 IAM 组。将 IAM 用户从管理账户添加到成员账户中的每个 IAM 组。
D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.
中文翻译:
在管理账户中创建 IAM 用户。在成员账户中,创建具有最小权限访问权限的跨账户角色。使用信任策略授予 IAM 用户对角色的访问权限。
答案
D
解析
正确答案:D 解析: 本题应选择 D。 正确选项: D. 在管理账户中创建 IAM 用户。在成员账户中,创建具有最小权限访问权限的跨账户角色。使用信任策略授予 IAM 用户对角色的访问权限。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:IAM、Organizatio...