Question #655
A third-party auditor needs to review compliance data in an AWS account owned by a financial institution. The auditor operates within their own AWS organization (audit-org), while the financial institution's account is part of a separate organization (finance-org). The financial institution must grant secure, least-privilege access using programmatic methods.
What is the MOST secure way to enable audit-org to access resources in finance-org?
The financial institution should share their root account credentials with the auditor to allow full access during the compliance review.
The financial institution should create an IAM user with read-only permissions and provide the access keys to the auditor for temporary use.
The financial institution should create an IAM role with necessary permissions and allow audit-org to assume the role using its ARN without additional safeguards.
The financial institution should create an IAM role with required permissions, configure the role's trust policy to include audit-org's account ID and a unique external ID, and provide both to the auditor for role assumption.
Explanation
Answer D is correct because:
1. IAM Roles are preferred over users (B) or root credentials (A) for cross-account access, as they provide temporary credentials and avoid long-term key management.
2. Trust Policy with External ID adds a security layer: The auditor must provide their account ID and a unique external ID to assume the role, preventing unauthorized role assumption even if the ARN is exposed (unlike C).
3. Least Privilege: The role is configured with only necessary permissions.
Why other options are wrong:
- A: Sharing root credentials violates security best practices (full access, no audit trail).
- B: IAM users require manual key rotation and lack cross-account scalability.
- C: Missing external ID makes the role vulnerable if the auditor's account is compromised.
Key Points:
- Use IAM roles for cross-account access.
- Always include external IDs in trust policies for third-party access.
- Avoid sharing credentials or using long-term access keys.
Answer
The correct answer is: D