A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole.

September 14, 2021 by Admin

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target AWS account (123456789123) to perform their job functions.
A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

SCS-C01 AWS Certified Security – Specialty Part 07 Q03 017

SCS-C01 AWS Certified Security – Specialty Part 07 Q03 017

What should be done to enable the user to assume the appropriate role in the target account?

  • Update the IAM policy attached to the role in the identity account to be:
    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 018

    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 018

  • Update the trust policy on the role in the target account to be:
    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 019

    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 019

  • Update the trust policy on the role in the identity account to be:
    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 020

    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 020

  • Update the IAM policy attached to the role in the target account to be:
    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 021

    SCS-C01 AWS Certified Security – Specialty Part 07 Q03 021

Leave a Reply