What is the MOST secure way to allow org1 to access resources in org2?

By:
In: SAP-C02
Tagged:
With: 1 Comment
An AWS partner company is building a service in AWS Organizations using its organization named org1.This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2.The company must establish least privilege security access using an API or command line tool to the customer account.

What is the MOST secure way to allow org1 to access resources in org2?

The customer should provide the partner company with their AWS account access keys to log in and perform the required tasks.

The customer should create an IAM user and assign the required permissions to the IAM user. The customer should then provide the credentials to the partner company to log in and perform the required tasks.

The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN) when requesting access to perform the required tasks.

The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including the external ID in the IAM role’s trust policy, when requesting access to perform the required tasks.

Explanations:

Providing access keys compromises security, as it grants full access without any restrictions. This method does not implement least privilege principles and increases the risk of misuse or exposure of credentials.

Creating an IAM user with credentials allows the partner company to log in with those credentials but does not enforce least privilege effectively. The partner company could gain more access than necessary, and managing access keys can lead to security vulnerabilities.

While creating an IAM role and allowing the partner company to assume it is better than providing direct credentials, it does not address external access control or misuse. It lacks the additional security layer provided by an external ID in the trust policy.

This option uses an IAM role with the necessary permissions and an external ID in the trust policy, ensuring that only the intended partner company can assume the role. It enforces least privilege and enhances security by preventing unauthorized access from other parties that may know the role ARN.

2025-10-17

1 Comment

  1. Jose
    Author

    I categorize that the answer is:
    The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including the external ID in the IAM role’s trust policy, when requesting access to perform the required tasks.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 19 =