Question #1941
A company needs to provide temporary access to external contractors for a specific AWS project. The company must ensure that contractors can only access the required resources for a limited time without compromising security.
Which solution will meet these requirements?
Create IAM users with permissions for the project and share the credentials directly with all contractors to expedite their onboarding.
Define IAM roles with fine-grained permissions limited to the project's requirements. Configure the contractors' AWS accounts to assume these roles via AWS Security Token Service (STS).
Grant temporary access by distributing AWS root account credentials to contractors and rotating the credentials after the project concludes.
Create IAM policies with broad permissions for the project and attach them to an IAM group. Add all contractor IAM users to this group.
Explanation
Option B is correct because:
- IAM Roles: Define roles with precise permissions for the project, adhering to the principle of least privilege.
- AWS STS: Enables temporary security credentials, ensuring access expires automatically without manual intervention.
- No Credential Sharing: Contractors assume roles via their own AWS accounts, avoiding insecure credential distribution.
Other options fail because:
- A: Sharing IAM user credentials is insecure and requires manual deactivation.
- C: Root credentials grant unrestricted access and pose severe security risks.
- D: Broad permissions violate least privilege, and group-based access isn't inherently temporary.
Key Points: Use IAM roles and STS for temporary, secure access; avoid sharing credentials; enforce least privilege.
Answer
The correct answer is: B