An external vendor needs access to the company’s AWS account to run an automated tool hosted in the vendor’s own AWS account. The vendor currently has no IAM access to the company’s account. Which solution will provide the MOST secure way to grant the vendor access?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an IAM role in the company’s account that delegates access to the vendor’s IAM role and attach the appropriate IAM policies to that role for the permissions the vendor requires..
Why this is the answer
Creating an IAM role in the company's account that delegates access to the vendor's IAM role is the most secure method. This establishes a trust relationship where the vendor's AWS account (specifically, an IAM role within it) can assume the role in the company's account. This avoids sharing long-term credentials like access keys or passwords, which are inherently less secure. The company maintains full control over the permissions granted to its role, and the vendor's access is limited to the duration of the assumed role session. Creating an IAM user with a password is less secure because it involves managing and potentially sharing long-term credentials. Creating an IAM group and adding the vendor's IAM user is not a valid AWS mechanism for cross-account access; IAM users belong to a single account. Creating an IAM user with a permission boundary is a valid concept for restricting permissions, but it still involves creating a long-term IAM user in the company's account, which is less secure than a temporary role assumption for cross-account access.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed