Answer-first summary for fast verification
Answer: In every business account, create an IAM role named BU_ROLE with a policy that gives the role access to the DynamoDB table and a trust policy to trust a specific role in the inventory application account. In the inventory account, create a role named APP_ROLE that allows access to the STS AssumeRole API operation. Configure the application to use APP_ROLE and assume the cross-account role BU_ROLE to read the DynamoDB table.
## Explanation **Option C is the MOST secure solution** for the following reasons: ### Why Option C is Correct: 1. **Cross-Account IAM Roles**: This approach uses AWS IAM roles with cross-account trust policies, which is the AWS recommended best practice for cross-account access. 2. **Temporary Credentials**: When the application assumes the BU_ROLE, it receives temporary security credentials that expire automatically, reducing the risk of credential leakage. 3. **No Long-Term Credentials**: Unlike IAM users (Option B) or secrets in Secrets Manager (Option A), there are no long-term access keys or secrets to manage, rotate, or potentially leak. 4. **Least Privilege**: The BU_ROLE can be configured with specific permissions to only read from the DynamoDB tables, following the principle of least privilege. 5. **Centralized Management**: The inventory application uses its own APP_ROLE to assume the business unit roles, providing centralized control. ### Why Other Options Are Less Secure: **Option A (Secrets Manager)**: - Still involves managing long-term credentials - Requires manual rotation configuration - Secrets could be compromised if not properly secured **Option B (IAM Users)**: - Uses long-term access keys which are security risks - Requires manual rotation every 30 days (prone to human error) - IAM users are generally not recommended for application authentication **Option D (ACM Certificates)**: - ACM is for SSL/TLS certificates, not for DynamoDB authentication - DynamoDB doesn't support certificate-based authentication in this manner - This option is technically incorrect for DynamoDB access ### Security Best Practices Applied in Option C: - **Temporary credentials** via STS AssumeRole - **Cross-account access** using IAM roles - **No credential storage** in the application - **Automatic credential expiration** - **Fine-grained permissions** through IAM policies - **Auditability** through CloudTrail logging of AssumeRole calls This solution aligns with AWS security best practices for cross-account access scenarios.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A retail company has several businesses. The IT team for each business manages its own AWS account. Each team account is part of an organization in AWS Organizations. Each team monitors its product inventory levels in an Amazon DynamoDB table in the team's own AWS account.
The company is deploying a central inventory reporting application into a shared AWS account. The application must be able to read items from all the teams' DynamoDB tables.
Which authentication option will meet these requirements MOST securely?
A
Integrate DynamoDB with AWS Secrets Manager in the inventory application account. Configure the application to use the correct secret from Secrets Manager to authenticate and read the DynamoDB table. Schedule secret rotation for every 30 days.
B
In every business account, create an IAM user that has programmatic access. Configure the application to use the correct IAM user access key ID and secret access key to authenticate and read the DynamoDB table. Manually rotate IAM access keys every 30 days.
C
In every business account, create an IAM role named BU_ROLE with a policy that gives the role access to the DynamoDB table and a trust policy to trust a specific role in the inventory application account. In the inventory account, create a role named APP_ROLE that allows access to the STS AssumeRole API operation. Configure the application to use APP_ROLE and assume the cross-account role BU_ROLE to read the DynamoDB table.
D
Integrate DynamoDB with AWS Certificate Manager (ACM). Generate identity certificates to authenticate DynamoDB. Configure the application to use the correct certificate to authenticate and read the DynamoDB table.