AWS Certified Cloud Practitioner / Question #1375 of 719

Question #1375

In which scenario should a company create an IAM user instead of an IAM role?

When an application hosted in an on-premises data center requires temporary access to AWS services

When the company needs to provide AWS access via access keys for a third-party application that does not support role assumption

When granting permissions to an AWS Lambda function to interact with Amazon S3

When enabling cross-account access for users from another AWS account

When users are authenticated via AWS Single Sign-On (SSO) and require federated access

Explanation

Answer B is correct because IAM users are required when third-party applications need AWS access via access keys and do not support role assumption. IAM roles provide temporary credentials, which are unsuitable here.

Other options are incorrect:
- A: On-premises applications needing temporary access should use roles (via AWS STS).
- C: Lambda functions use roles, not users, for permissions.
- D: Cross-account access is handled via roles, not users.
- E: AWS SSO uses federated roles, eliminating the need for IAM users.

Key Points:
- Use IAM users for long-term credentials when roles are not feasible.
- Roles are preferred for temporary access, cross-account, and service-to-service permissions.

Answer

The correct answer is: B