Which of the following would meet all of these conditions?
From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the SaaS application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
Explanations:
Retrieving access and secret keys from the Security Credentials page is not a secure practice, as it uses root account credentials which do not adhere to the principle of least privilege and could expose unnecessary access to the SaaS provider.
Creating an IAM user with access keys gives the SaaS application permissions but lacks control over cross-account access and does not restrict the keys’ usage to only the SaaS provider, violating security policies.
Creating a cross-account IAM role allows the SaaS provider to assume the role securely with only the permissions needed. This approach supports least privilege and limits access exclusively to the SaaS provider.
Creating an IAM role for EC2 instances with the necessary permissions does not meet the requirement since it does not provide cross-account access control. The role would be available only within the enterprise’s account, not for the SaaS provider.
I opine that the answer is:
Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
I sort that the answer is:
Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.