AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company runs an infrastructure monitoring service. The company is building a new feature that will enable the service to monitor data in customer AWS accounts. The new feature will call AWS APIs in customer accounts to describe Amazon EC2 instances and read Amazon CloudWatch metrics.

What should the company do to obtain access to customer accounts in the MOST secure way?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company's account.

Create a serverless API that implements a token vending machine to provide temporary AWS credentials for a role with read-only EC2 and CloudWatch permissions.

Ensure that the customers create an IAM user in their account with read-only EC2 and CloudWatch permissions. Encrypt and store customer access and secret keys in a secrets management system.

Ensure that the customers create an Amazon Cognito user in their account to use an IAM role with read-only EC2 and CloudWatch permissions. Encrypt and store the Amazon Cognito user and password in a secrets management system.

Explanation:

Explanation

Correct Answer: A

This is the most secure approach for cross-account access in AWS. Here's why:

Why Option A is Correct:

IAM Roles with Trust Policies: This uses AWS's built-in cross-account access mechanism where customers create an IAM role in their account with a trust policy that allows the company's AWS account to assume that role.
Temporary Credentials: When the company's service assumes the role, it receives temporary security credentials that automatically expire, reducing the risk of credential leakage.
No Long-term Credential Storage: The company doesn't need to store any long-term credentials (access keys, passwords) for customer accounts.
Principle of Least Privilege: The role can be configured with read-only permissions specifically for EC2 and CloudWatch, following security best practices.
Auditability: All role assumption activities are logged in AWS CloudTrail, providing audit trails.

Why Other Options Are Less Secure:

Option B: While token vending machines can be secure, they add unnecessary complexity. AWS already provides a simpler, more secure mechanism through IAM roles with trust policies.

Option C: This approach requires storing long-term credentials (access keys) which:

Never expire unless manually rotated
Create a significant security risk if compromised
Require complex key rotation processes
Violates AWS security best practices for cross-account access

Option D: Using Amazon Cognito for this purpose is inappropriate because:

Cognito is designed for user authentication, not service-to-service cross-account access
Requires storing passwords, which is less secure than using IAM roles
Adds unnecessary complexity for a simple cross-account access scenario

Best Practices Demonstrated:

Use IAM roles for cross-account access instead of sharing credentials
Leverage temporary security credentials that automatically expire
Implement the principle of least privilege with specific read-only permissions
Avoid storing long-term credentials in any system
Use AWS-native security mechanisms rather than building custom solutions

This approach aligns with AWS Well-Architected Framework security best practices and is the recommended method for secure cross-account access.

Powered ByGPT-5.2

Comments

Loading comments...