Crucial Exams

AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A SysOps administrator creates an IAM role in Account A with this trust policy excerpt:

"Principal": { "AWS": "arn:aws:iam::123456789012:root" }

Minutes later, IAM Access Analyzer flags the role as accessible outside the organization. The administrator must remove unintended access yet still allow only the DevUser IAM user in Account B (123456789012) to assume the role. What should the administrator do to meet these requirements and clear the finding?

  • Update the role's trust policy to replace the root ARN with "arn:aws:iam::123456789012:user/DevUser", then re-run Access Analyzer and archive the resolved finding.

  • Attach an IAM permissions boundary to the role that denies sts:AssumeRole actions from the Account B root user.

  • Disable the analyzer for the Region so that the finding no longer appears in the console.

  • Add a Condition element to the trust policy that requires aws:PrincipalOrgID to match Account B's organization ID.

AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot