Logo
AWS Certified Solutions Architect - Associate / Question #1799 of 1019

Question #1799

A company is collaborating with an external vendor to deploy resources into the company’s AWS account. The vendor utilizes a serverless application hosted in their own AWS account. The vendor does not have any IAM permissions in the company’s account. The company needs to provide the vendor with the necessary access while ensuring security best practices.

Which solution will meet these requirements MOST securely?

A

Create an IAM role in the company\u2019s account that trusts the vendor\u2019s AWS account. Attach the required IAM policies to the role to grant the vendor\u2019s application the necessary permissions.
B

Create an IAM user in the company\u2019s account with programmatic access keys. Attach the required IAM policies to the user and share the keys with the vendor\u2019s application.
C

Create an IAM group in the company\u2019s account and add the vendor\u2019s IAM users to it. Attach the required IAM policies to the group to grant the necessary permissions.
D

Create an IAM user in the company\u2019s account with a permission policy allowing access from the vendor\u2019s account. Attach the required IAM policies to the user for the vendor\u2019s application.

Explanation

Answer A is correct because:
1. IAM Roles with Trust Relationships: By creating a role that trusts the vendor's AWS account, the vendor's serverless application can assume the role using AWS Security Token Service (STS) to obtain temporary credentials. This follows the principle of least privilege and avoids long-term credential risks.
2. Security Best Practices: Temporary credentials auto-expire, reducing exposure risks. Option B (IAM user with keys) is insecure due to long-lived credentials. Option C is invalid because IAM users/groups cannot span accounts. Option D incorrectly uses IAM users for cross-account access, which is not scalable or secure.

Key Points:
- Use IAM roles (not users) for cross-account access.
- Temporary credentials via STS enhance security.
- Trust policies define which external accounts can assume roles.
- Avoid sharing access keys (B/D) or mixing IAM entities across accounts (C).

Answer

The correct answer is: A