Question #771
A company's application requires cross-account access to resources in another AWS account. The application must use temporary security credentials with restricted permissions to ensure secure access. Which AWS service should the company use to generate these credentials?
AWS Key Management Service (KMS)
IAM roles
AWS Security Token Service (AWS STS)
Amazon S3 bucket policies
Explanation
The correct answer is C. AWS Security Token Service (AWS STS). AWS STS is specifically designed to generate temporary security credentials (such as temporary IAM user credentials or federated tokens) with limited permissions and a short lifespan. These credentials are ideal for cross-account access scenarios, as they minimize security risks by avoiding long-term access keys.
Why other options are incorrect:
- A. AWS KMS: Manages encryption keys and does not generate temporary credentials.
- B. IAM roles: While IAM roles define permissions for cross-account access, they do not generate temporary credentials themselves. Instead, AWS STS is used to assume roles and generate temporary credentials.
- D. S3 bucket policies: These are resource-based policies for controlling access to S3 buckets but do not generate credentials.
Key Points to Remember:
- Use AWS STS for temporary credentials in cross-account or federated access scenarios.
- IAM roles define permissions, while STS provides the mechanism to assume roles and generate temporary tokens.
- Temporary credentials enhance security by expiring automatically and limiting permissions.
Answer
The correct answer is: C