Question 4

Domain 3: Continuous Improvement for Existing Solutions

An AWS partner company is building a service in AWS Organizations using Its organization named org. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2 The company must establish least privilege security access using an API or command line tool to the customer account What is the MOST secure way to allow org1 to access resources h org2?

A. The customer should provide the partner company with their AWS account access keys to log inand perform the required tasks B. The customer should create an IAM user and assign the required permissions to the IAM user The customer should then provide the credentials to the partner company to log In and perform the required tasks. C. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM rote ' s Amazon Resource Name (ARN) when requesting access to perform the required tasks D. The customer should create an IAM rote and assign the required permissions to the IAM rote. The partner company should then use the IAM rote ' s Amazon Resource Name (ARN). Including the external ID in the IAM role ' s trust pokey, when requesting access to perform the required tasks

Correct answer: C

Explanation

AWS cross-account access is best done with an IAM role because a role grants temporary credentials and can be limited to only the required permissions, which matches least privilege. The customer account in org2 should "create an IAM role and assign the required permissions to the IAM role," and the partner in org1 should use the role’s ARN to assume it for the needed API or CLI actions.

Why each option is right or wrong

A. The customer should provide the partner company with their AWS account access keys to log inand perform the required tasks

Sharing account access keys exposes long-term credentials and grants broader access than necessary.

B. The customer should create an IAM user and assign the required permissions to the IAM user The customer should then provide the credentials to the partner company to log In and perform the required tasks.

IAM user credentials are long-term secrets; cross-account access should generally use assumable roles instead.

C. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM rote ' s Amazon Resource Name (ARN) when requesting access to perform the required tasks

AWS cross-account access is governed by IAM role assumption: the customer account in org2 must create the role, attach only the required permissions policy, and trust the partner principal so it can be assumed via STS. Under the IAM role model, the partner in org1 uses the role ARN with AWS Security Token Service (for example, AssumeRole) to obtain temporary credentials, which is the least-privilege pattern because no long-term access keys are shared across organizations.

D. The customer should create an IAM rote and assign the required permissions to the IAM rote. The partner company should then use the IAM rote ' s Amazon Resource Name (ARN). Including the external ID in the IAM role ' s trust pokey, when requesting access to perform the required tasks

External ID belongs in the assume-role request context, not embedded as stated here.

Previous Next