Answer-first summary for fast verification
Answer: Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company's account.
## Explanation **Correct Answer: A** This is the most secure approach for cross-account access in AWS. Here's why: ### Why Option A is Correct: 1. **IAM Roles with Trust Policies**: This uses AWS's built-in cross-account access mechanism where customers create an IAM role in their account with a trust policy that allows the company's AWS account to assume that role. 2. **Temporary Credentials**: When the company's service assumes the role, it receives temporary security credentials that automatically expire, reducing the risk of credential leakage. 3. **No Long-term Credential Storage**: The company doesn't need to store any long-term credentials (access keys, passwords) for customer accounts. 4. **Principle of Least Privilege**: The role can be configured with read-only permissions specifically for EC2 and CloudWatch, following security best practices. 5. **Auditability**: All role assumption activities are logged in AWS CloudTrail, providing audit trails. ### Why Other Options Are Less Secure: **Option B**: While token vending machines can be secure, they add unnecessary complexity. AWS already provides a simpler, more secure mechanism through IAM roles with trust policies. **Option C**: This approach requires storing long-term credentials (access keys) which: - Never expire unless manually rotated - Create a significant security risk if compromised - Require complex key rotation processes - Violates AWS security best practices for cross-account access **Option D**: Using Amazon Cognito for this purpose is inappropriate because: - Cognito is designed for user authentication, not service-to-service cross-account access - Requires storing passwords, which is less secure than using IAM roles - Adds unnecessary complexity for a simple cross-account access scenario ### Best Practices Demonstrated: 1. **Use IAM roles for cross-account access** instead of sharing credentials 2. **Leverage temporary security credentials** that automatically expire 3. **Implement the principle of least privilege** with specific read-only permissions 4. **Avoid storing long-term credentials** in any system 5. **Use AWS-native security mechanisms** rather than building custom solutions This approach aligns with AWS Well-Architected Framework security best practices and is the recommended method for secure cross-account access.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company runs an infrastructure monitoring service. The company is building a new feature that will enable the service to monitor data in customer AWS accounts. The new feature will call AWS APIs in customer accounts to describe Amazon EC2 instances and read Amazon CloudWatch metrics.
What should the company do to obtain access to customer accounts in the MOST secure way?
A
Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company's account.
B
Create a serverless API that implements a token vending machine to provide temporary AWS credentials for a role with read-only EC2 and CloudWatch permissions.
C
Ensure that the customers create an IAM user in their account with read-only EC2 and CloudWatch permissions. Encrypt and store customer access and secret keys in a secrets management system.
D
Ensure that the customers create an Amazon Cognito user in their account to use an IAM role with read-only EC2 and CloudWatch permissions. Encrypt and store the Amazon Cognito user and password in a secrets management system.