Which actions will meet the program requirements that address security?
Create an Amazon CloudWatch alarm for AWS CloudTrail events. Create a metric filter to send a notification when the same set of IAM credentials is used by multiple developers.
Create a federation between AWS and the existing corporate IdP. Leverage IAM roles to provide federated access to AWS resources.
Create a VPN tunnel between the corporate premises and the VPC. Allow permissions to all AWS services only if it originates from corporate premises.
Create multiple IAM roles for each IAM user. Ensure that users who use the same IAM credentials cannot assume the same IAM role at the same time.
Explanations:
While CloudWatch alarms can monitor activity, using IAM credentials across multiple users would not be effectively prevented. CloudWatch events could flag the issue but not resolve it or prevent further sharing of credentials.
Federation via an IdP with IAM roles provides secure, scalable, and efficient access to AWS resources. Developers can authenticate via the corporate IdP, avoiding the need for provisioning individual IAM users, reducing the risk of credential sharing.
A VPN tunnel is unrelated to IAM credentials or access control. This option does not address the problem of developers sharing IAM credentials or streamline access management.
Multiple IAM roles per user would still not prevent developers from sharing credentials. This approach does not address the root cause of credential sharing or simplify user provisioning.
I calculate that the answer is:
Create a federation between AWS and the existing corporate IdP. Leverage IAM roles to provide federated access to AWS resources.
I would say the answer is:
Create a federation between AWS and the existing corporate IdP. Leverage IAM roles to provide federated access to AWS resources.