What should the company do to obtain access to customer accounts in the MOST secure way?
Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company’s account.
Create a serverless API that implements a token vending machine to provide temporary AWS credentials for a role with read-only EC2 and CloudWatch permissions.
Ensure that the customers create an IAM user in their account with read-only EC2 and CloudWatch permissions. Encrypt and store customer access and secret keys in a secrets management system.
Ensure that the customers create an Amazon Cognito user in their account to use an IAM role with read-only EC2 and CloudWatch permissions. Encrypt and store the Amazon Cognito user and password in a secrets management system.
Explanations:
This option allows the customers to create an IAM role with specific permissions (read-only EC2 and CloudWatch), enabling the company to assume that role. The trust policy grants the company’s account access, ensuring secure and controlled access to the customers’ AWS resources without sharing long-term credentials.
While a token vending machine can provide temporary AWS credentials, implementing this requires additional complexity and security considerations, such as managing the token lifecycle and ensuring secure API access. It does not leverage the AWS best practices for cross-account access, which recommend using IAM roles with trust relationships.
Creating an IAM user for each customer with access keys poses a security risk, as long-term credentials can be compromised. Additionally, managing and rotating these keys is cumbersome, making this approach less secure than using roles. Storing access and secret keys, even encrypted, increases the risk of exposure.
Using Amazon Cognito for this purpose is not ideal as it is designed for user authentication rather than granting AWS resource access directly. Also, it would require customers to manage user credentials securely, which adds unnecessary complexity and does not align with best practices for IAM roles.
I evaluate that the answer is:
Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company’s account.