Explanation:
Option D is the correct answer.
To review configurations, the security administrator only needs read-only access. Providing administrator access (Options B and C) violates the security principle of least privilege. Furthermore, sharing IAM user credentials across accounts (Options A and B) is a poor security practice and poses significant security risks. The most secure and AWS-recommended way to grant cross-account access is by using an IAM role with a trust policy that allows the security administrator's account to assume the role (Option D).
Ultimate access to all questions.
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company's security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts. Which solution will meet these requirements in the MOST secure manner?
A
Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to an IAM user. Share the user credentials with the security administrator.
B
Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.
C
Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
D
Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
No comments yet.