Logo
AWS Certified Solutions Architect - Professional / Question #678 of 529

Question #678

A company must grant a third-party monitoring service read-only access to its AWS resources. The third party uses a single AWS account, and the solution must adhere to AWS security best practices while ensuring no long-term credentials are shared. A solutions architect needs to implement the most secure approach.

A

In the company's AWS account, create S3 bucket policies and IAM policies granting read-only access to the third party's AWS account. Include a unique external ID in each resource policy.
B

In the company's AWS account, create an IAM role that establishes a trust relationship with the third party's AWS account. Attach a read-only IAM policy to the role and include a unique external ID in the role's trust policy.
C

In the company's AWS account, create an IAM user with read-only permissions. Generate access keys for the IAM user and share them securely with the third party.
D

In the company's AWS account, create an IAM group with read-only permissions. Add IAM users for each third-party administrator to the group.

Explanation

Answer B is correct because:
1. IAM Roles for Cross-Account Access: IAM roles allow temporary security credentials, eliminating the need for long-term access keys (required by the question).
2. Trust Relationship: The role's trust policy specifies the third party's AWS account, ensuring only authorized entities can assume the role.
3. External ID: Including a unique external ID adds an additional security layer to prevent the 'confused deputy' problem.
4. Read-Only Permissions: Attaching a read-only IAM policy restricts access as required.

Why other options are incorrect:
- A: S3 bucket policies only apply to S3 resources, not all AWS resources. External IDs are not used in resource policies.
- C: IAM users involve long-term credentials (access keys), which violates the requirement.
- D: IAM groups/users require long-term credentials and are not scalable for third-party access.

Key Points:
- Use IAM roles (not users/groups) for cross-account access.
- Temporary credentials via roles enhance security.
- External IDs prevent unauthorized role assumption.

Answer

The correct answer is: B