What is the MOST secure way to achieve this?
Use the Amazon Cognito user pools to get short-lived credentials for the second account.
Create a dedicated IAM access key for the second account, and send it by mail.
Create a cross-account access role, and use sts:AssumeRole API to get short-lived credentials.
Establish trust, and add an SSH key for the second account to the IAM user.
Explanations:
Amazon Cognito is primarily used for user authentication and management in applications, not for managing access to AWS resources across accounts. It does not provide the necessary cross-account access and is not designed for giving developers temporary credentials to access resources in another account.
Creating a dedicated IAM access key for the second account and sending it by mail is highly insecure. Access keys should not be distributed via insecure methods such as email, as this exposes them to interception and misuse. Additionally, IAM access keys do not provide temporary access and do not adhere to best practices for security.
Creating a cross-account access role and using the stsAPI is the most secure option. This approach allows for temporary credentials that are automatically rotated and limited in scope, adhering to the principle of least privilege. It also allows for defined trust relationships between accounts, ensuring that access is controlled and logged.
Establishing trust and adding an SSH key for the second account is not applicable for AWS IAM roles or resource access management. SSH keys are used for server access and do not provide a method for securely managing temporary credentials or cross-account access within AWS. Additionally, this approach does not leverage AWS’s built-in capabilities for managing secure access.