Answer-first summary for fast verification
Answer: Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires.
## Explanation The correct answer is **A** because this scenario describes a cross-account access scenario where the vendor needs to access resources in the company's AWS account from their own AWS account. ### Why Option A is Correct: 1. **Cross-Account IAM Roles**: AWS recommends using IAM roles for cross-account access rather than sharing credentials. 2. **Security Best Practice**: The vendor's automated tool can assume the IAM role in the company's account using AWS Security Token Service (STS). 3. **No Credential Sharing**: This approach doesn't require sharing long-term credentials (access keys or passwords). 4. **Temporary Credentials**: The vendor's tool gets temporary security credentials with limited lifetime. 5. **Principle of Least Privilege**: You can attach specific IAM policies to the role granting only the permissions the vendor needs. ### Why Other Options are Incorrect: **Option B (Creating IAM user)**: - Creates long-term credentials that need to be shared - Requires password/access key management - Less secure than role-based access - Doesn't leverage cross-account capabilities **Option C (Adding vendor's IAM user to group)**: - IAM users cannot be shared across AWS accounts - Each IAM user is scoped to a single AWS account - This is not technically possible in AWS **Option D (Creating identity provider)**: - This describes setting up a trust relationship incorrectly - "AWS account" as provider type is for setting up trust with another AWS account, but policies are attached to roles, not providers - The explanation incorrectly states attaching policies to the provider ### Implementation Steps: 1. **In Company's Account**: Create IAM role with trust policy allowing the vendor's AWS account 2. **Attach Permissions**: Attach IAM policies granting required permissions to the role 3. **In Vendor's Account**: The vendor's tool assumes the role using AWS STS `AssumeRole` API 4. **Access Control**: The vendor gets temporary credentials with the role's permissions This approach follows AWS security best practices for cross-account access scenarios.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has hired an external vendor to perform work in the company's AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company's AWS account. How should a solutions architect grant this access to the vendor?
A
Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires.
B
Create an IAM user in the company's account with a password that meets the password complexity requirements. Attach the appropriate IAM policies to the user for the permissions that the vendor requires.
C
Create an IAM group in the company's account. Add the tool’s IAM user from the vendor account to the group. Attach the appropriate IAM policies to the group for the permissions that the vendor requires.
D
Create a new identity provider by choosing “AWS account” as the provider type in the IAM console. Supply the vendor’s AWS account ID and user name. Attach the appropriate IAM policies to the new provider for the permissions that the vendor requires.