What should a solutions architect do to implement least privilege access?
Update the permission policy on the SQS queue to give write access to the vendor’s AWS account.
Create an IAM user with write access to the SQS queue and share the credentials for the IAM user.
Update AWS Resource Access Manager to provide write access to the SQS queue from the vendor’s AWS account.
Create a cross-account role with access to all SQS queues and use the vendor’s AWS account in the trust document for the role.
Explanations:
Updating the permission policy on the SQS queue to give write access to the vendor’s AWS account is the most direct way to grant least privilege access to the queue.
Sharing IAM user credentials violates security best practices and does not provide the most secure least privilege access. The vendor should not receive user credentials.
AWS Resource Access Manager is used for resource sharing across accounts, but SQS is not supported for sharing through this service, making it an incorrect option.
Creating a cross-account role with access to all SQS queues would grant more access than necessary, violating the least privilege principle by allowing broader access.
If memory serves me right, the answer is:
Update the permission policy on the SQS queue to give write access to the vendor’s AWS account.
I would say the answer is:
Update the permission policy on the SQS queue to give write access to the vendor’s AWS account.