Question #1437
A solutions architect needs to enable developers in the development account to access an Amazon DynamoDB table in the production account. The developers currently have IAM users in the development account, which are part of an IAM group granting DynamoDB access in the development account. An IAM role has been created in the production account with a policy allowing access to the DynamoDB table. Which solution ensures least privilege?
Attach the AdministratorAccess policy to the IAM group in the development account.
Add the development account as a principal in the trust policy of the role in the production account.
Enable public access to the DynamoDB table in the production account.
Create IAM users in the production account for each developer.
Explanation
The correct answer is B. Cross-account access in AWS requires configuring the IAM role's trust policy to allow the development account as a trusted principal. This enables developers in the development account to assume the role in the production account, granting them temporary permissions to access the DynamoDB table without excessive privileges.
- Option A violates least privilege by granting administrative access.
- Option C compromises security by making the DynamoDB table publicly accessible.
- Option D introduces management overhead by creating duplicate users.
Key points: Cross-account access uses IAM roles with trust policies; least privilege is achieved by granting minimal necessary permissions via role assumption.
Answer
The correct answer is: B