Which approach should the security officer take to meet these requirements?
Implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management. Allow the external company to federate through its identity provider.
Federate AWS Identity and Access Management (IAM) with the external company’s identity provider. Create an IAM role and attach a policy with the necessary permissions.
Create an IAM group for the external company. Add a policy to the group that denies IAM modifications. Securely provide the credentials to the external company.
Use AWS SSO with the external company’s identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.
Explanations:
Implementing Amazon Cognito identity pools is not suitable for delegating operational support as it primarily serves as a user authentication service, and using a policy that denies Cognito API management actions may lead to operational issues. Additionally, this approach does not provide sufficient permissions control for the external company’s operations.
Federating AWS IAM with the external company’s identity provider allows for streamlined access management. By creating an IAM role with an attached policy that grants necessary permissions, the security officer can delegate access while maintaining control and minimizing overhead in managing credentials and permissions.
Creating an IAM group for the external company and providing credentials with a policy that denies IAM modifications can lead to security risks. It complicates credential management and does not allow for flexible access control, making it less ideal for operational support delegation.
While AWS SSO can integrate with external identity providers, the use of an IAM group mapped to the identity provider user group may introduce unnecessary complexity. This approach requires additional management overhead compared to directly federating with IAM, making it less efficient for delegating operational support.
I outline that the answer is:
Federate AWS Identity and Access Management (IAM) with the external company’s identity provider. Create an IAM role and attach a policy with the necessary permissions.