You are an AWS administrator. Your company has two key EC2 instances owned by AWS account A. The users in AWS account B may start/stop these EC2 instances from time to time. These users are under the same IAM user group called “Group_QA”. You already created a cross-account role “EC2Update” in account A.

Answer options:

A.With AWS CLI, the user calls the AssumeRoleWithSAML function to obtain credentials for the “EC2Update” role.
B.The user chooses the account name on the navigation bar and clicks “Switch Role”. The user specifies the account ID (or alias) and role name.
C.The user can click on a link sent in an email by the administrator which takes the user to the Switch Role page with the details already filled in. The link can be found when the role “EC2Update” was created.
D.In the AWS console, the user clicks its account name and chooses “Switch Accounts”. The user then specifies the account ID, key credentials, and the role name for account A.

Correct Answer– B and C
You can grant your IAM users permission to switch to roles within your AWS account or to roles defined in other AWS accounts that you own.
The user chooses the account name on the navigation bar and chooses Switch Role. The user specifies the account ID (or alias) and role name. Alternatively, the user can click on a link sent in an email by the administrator. The link takes the user to the Switch Role page with the details already filled in.
Option A is incorrect because, for AWS API/AWS CLI, the user in the group “Group_QA” should call the AssumeRole function to obtain credentials for the “EC2Update” role.
Option D is incorrect because it should be “Switch Role” rather than “Switch Accounts,” and no key credentials are needed for switching rules to another account.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html