Which additional component will provide the vendor with the MOST secure access to the account?

By:
In: SAA-C02
Tagged:
With: 2 Comments
A company is using a third-party vendor to manage its marketplace analytics.The vendor needs limited programmatic access to resources in the company’s account.All the needed policies have been created to grant appropriate access.

Which additional component will provide the vendor with the MOST secure access to the account?

Create an IAM user.

Implement a service control policy (SCP)

Use a cross-account role with an external ID.

Configure a single sign-on (SSO) identity provider.

Explanations:

Creating an IAM user would provide the vendor with direct access to the account, which may not be the most secure option. It could lead to potential misuse or access beyond the intended scope.

Implementing a service control policy (SCP) is a way to manage permissions across accounts in an AWS Organization, but it does not grant access to the vendor directly. SCPs are more about governance than providing access, making it less suitable for the scenario.

Using a cross-account role with an external ID allows the vendor to assume a role in the company’s account with limited permissions, ensuring that the access is temporary and controlled. The external ID adds an extra layer of security to prevent the vendor from using the role maliciously.

Configuring a single sign-on (SSO) identity provider can simplify access management but does not specifically address the need for limited programmatic access. SSO is more about user authentication rather than providing secure programmatic access for third-party vendors.

2026-04-08

2 Comments

  1. Virginia
    Author

    My best guess is:
    Use a cross-account role with an external ID.

  2. Jacqueline
    Author

    I estimate that the answer is:
    Use a cross-account role with an external ID.

Leave a Reply

Your email address will not be published. Required fields are marked *

11 − ten =