Answer-first summary for fast verification
Answer: Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.
The correct answer is D: Create a unique IAM role for each external account and create a trust policy that includes a condition that uses the sts:ExternalId condition key. This approach ensures enhanced security by preventing two external accounts from using the same credentials. The sts:ExternalId condition adds an extra layer of security by allowing the external party to pass a unique identifier that confirms their identity, thus reducing the risk of the wrong party assuming the role. Additionally, this method requires minimal operational effort compared to managing a centralized user pool or implementing a full-scale identity management solution.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company utilizing AWS Organizations seeks to implement short-term credentials for third-party AWS accounts to access its organization's accounts. The access requirements include the AWS Management Console and third-party SaaS applications. To enhance trust and security, the solution must prevent two external accounts from using the same credentials. Additionally, the solution should be efficient in terms of operational effort. Which of the following solutions meets these criteria?
A
Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.
B
Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identity source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.
C
Create a unique IAM role for each external account. Create a trust policy using AWS Secrets Manager to create a random external key.
D
Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.
No comments yet.