Which additional component will provide the vendor with the MOST secure access to the account?
Create an IAM user.
Implement a service control policy (SCP)
Use a cross-account role with an external ID.
Configure a single sign-on (SSO) identity provider.
Explanations:
Creating an IAM user would provide the vendor with direct access to the account, which may not be the most secure option. It could lead to potential misuse or access beyond the intended scope.
Implementing a service control policy (SCP) is a way to manage permissions across accounts in an AWS Organization, but it does not grant access to the vendor directly. SCPs are more about governance than providing access, making it less suitable for the scenario.
Using a cross-account role with an external ID allows the vendor to assume a role in the company’s account with limited permissions, ensuring that the access is temporary and controlled. The external ID adds an extra layer of security to prevent the vendor from using the role maliciously.
Configuring a single sign-on (SSO) identity provider can simplify access management but does not specifically address the need for limited programmatic access. SSO is more about user authentication rather than providing secure programmatic access for third-party vendors.