AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has hired an external vendor to perform work in the company's AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company's AWS account. How should a solutions architect grant this access to the vendor?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires.

Create an IAM user in the company's account with a password that meets the password complexity requirements. Attach the appropriate IAM policies to the user for the permissions that the vendor requires.

Create an IAM group in the company's account. Add the tool’s IAM user from the vendor account to the group. Attach the appropriate IAM policies to the group for the permissions that the vendor requires.

Create a new identity provider by choosing “AWS account” as the provider type in the IAM console. Supply the vendor’s AWS account ID and user name. Attach the appropriate IAM policies to the new provider for the permissions that the vendor requires.

Explanation:

Explanation

The correct answer is A because this scenario describes a cross-account access scenario where the vendor needs to access resources in the company's AWS account from their own AWS account.

Why Option A is Correct:

Cross-Account IAM Roles: AWS recommends using IAM roles for cross-account access rather than sharing credentials.
Security Best Practice: The vendor's automated tool can assume the IAM role in the company's account using AWS Security Token Service (STS).
No Credential Sharing: This approach doesn't require sharing long-term credentials (access keys or passwords).
Temporary Credentials: The vendor's tool gets temporary security credentials with limited lifetime.
Principle of Least Privilege: You can attach specific IAM policies to the role granting only the permissions the vendor needs.

Why Other Options are Incorrect:

Option B (Creating IAM user):

Creates long-term credentials that need to be shared
Requires password/access key management
Less secure than role-based access
Doesn't leverage cross-account capabilities

Option C (Adding vendor's IAM user to group):

IAM users cannot be shared across AWS accounts
Each IAM user is scoped to a single AWS account
This is not technically possible in AWS

Option D (Creating identity provider):

This describes setting up a trust relationship incorrectly
"AWS account" as provider type is for setting up trust with another AWS account, but policies are attached to roles, not providers
The explanation incorrectly states attaching policies to the provider

Implementation Steps:

In Company's Account: Create IAM role with trust policy allowing the vendor's AWS account
Attach Permissions: Attach IAM policies granting required permissions to the role
In Vendor's Account: The vendor's tool assumes the role using AWS STS AssumeRole API
Access Control: The vendor gets temporary credentials with the role's permissions

This approach follows AWS security best practices for cross-account access scenarios.

Powered ByGPT-5.2

Comments

Loading comments...