Which additional component will provide the vendor with the MOST secure access to the account?

By: study aws cloud

Tagged: Solutions Architect Associate

With: 1 Comment

A company is using a third-party vendor to manage its marketplace analytics.The vendor needs limited programmatic access to resources in the company’s account.All the needed policies have been created to grant appropriate access.

Which additional component will provide the vendor with the MOST secure access to the account?

Create an IAM user.

Implement a service control policy (SCP)

Use a cross-account role with an external ID.

Configure a single sign-on (SSO) identity provider.

Explanations:

Creating an IAM user would provide the vendor with direct access to the account, which may not be the most secure option. It could lead to potential misuse or access beyond the intended scope.

Implementing a service control policy (SCP) is a way to manage permissions across accounts in an AWS Organization, but it does not grant access to the vendor directly. SCPs are more about governance than providing access, making it less suitable for the scenario.

Using a cross-account role with an external ID allows the vendor to assume a role in the company’s account with limited permissions, ensuring that the access is temporary and controlled. The external ID adds an extra layer of security to prevent the vendor from using the role maliciously.

Configuring a single sign-on (SSO) identity provider can simplify access management but does not specifically address the need for limited programmatic access. SSO is more about user authentication rather than providing secure programmatic access for third-party vendors.

Previous Post: What is likely to be the problem?

Next Post: What is the maximum length for a certificate ID in AWS IAM?

1 Comment

Author

My best guess is:
Use a cross-account role with an external ID.

Virginia

2 weeks ago

Permalink

Reply

Leave a Reply Cancel reply