A company runs an infrastructure monitoring service. The company is building a new feature that will enable the service to monitor data in customer AWS accounts. The new feature will call AWS APIs in customer accounts to describe Amazon EC2 instances and read Amazon CloudWatch metrics. What should the company do to obtain access to customer accounts in the MOST secure way?
Choose an answer
Tap an option to check your answer.
Correct answer: Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company’s account..
Why this is the answer
The most secure way to access customer AWS accounts for monitoring is through cross-account IAM roles. Customers create an IAM role in their account with the necessary read-only EC2 and CloudWatch permissions. The role's trust policy is configured to allow the company's AWS account to assume this role. This mechanism grants temporary, scoped access without sharing long-term credentials, enhancing security and auditability. Creating a serverless API with a token vending machine is overly complex for this use case, as direct role assumption is simpler and equally secure for cross-account access. Creating an IAM user and storing its access keys is insecure because it involves managing long-lived credentials, which are a significant security risk if compromised. Using Amazon Cognito is designed for user authentication to applications, not for programmatic cross-account AWS API access, and storing Cognito user credentials also presents a security risk.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed