An external vendor will run an automated tool from the vendor’s own AWS account to perform work in the company’s AWS account. The vendor does not have IAM access to the company’s account. How should a solutions architect grant the vendor access?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an IAM role in the company’s account to delegate access to the vendor’s IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires..
Why this is the answer
Creating an IAM role in the company's account and configuring it to trust the vendor's AWS account (specifically, the vendor's IAM role) is the most secure and recommended method for cross-account access. This approach allows the vendor's automated tool to assume the role in the company's account, gaining temporary credentials and the permissions defined by the attached policies, without sharing long-term credentials. Creating an IAM user for the vendor is less secure as it involves managing long-term credentials (password or access keys) that could be compromised. IAM groups are for organizing users within a single account, not for cross-account access. While an identity provider can be used, the specific "AWS account" provider type is not how cross-account role assumption is configured; it's done via the trust policy of an IAM role.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed