Which authentication option will meet these requirements MOST securely?
Integrate DynamoDB with AWS Secrets Manager in the inventory application account. Configure the application to use the correct secret from Secrets Manager to authenticate and read the DynamoDB table. Schedule secret rotation for every 30 days.
In every business account, create an IAM user that has programmatic access. Configure the application to use the correct IAM user access key ID and secret access key to authenticate and read the DynamoDB table. Manually rotate IAM access keys every 30 days.
In every business account, create an IAM role named BU_ROLE with a policy that gives the role access to the DynamoDB table and a trust policy to trust a specific role in the inventory application account. In the inventory account, create a role named APP_ROLE that allows access to the STS AssumeRole API operation. Configure the application to use APP_ROLE and assume the crossaccount role BU_ROLE to read the DynamoDB table.
Integrate DynamoDB with AWS Certificate Manager (ACM). Generate identity certificates to authenticate DynamoDB. Configure the application to use the correct certificate to authenticate and read the DynamoDB table.
Explanations:
While integrating DynamoDB with AWS Secrets Manager can enhance security by managing secrets, it does not provide a robust method for cross-account access to DynamoDB tables. The application in the shared account would still need IAM permissions to access the tables, which Secrets Manager alone does not facilitate.
Creating IAM users in every business account and using access keys poses significant security risks. IAM user access keys can be compromised, and rotating them manually every 30 days can lead to operational overhead and potential access issues if not handled correctly. This method also does not facilitate cross-account access securely.
This option implements cross-account access securely using IAM roles. The application in the central inventory account assumes the BU_ROLE from each business account, which is granted access to the DynamoDB tables. This method uses temporary security credentials, which are less prone to compromise than long-term IAM user access keys. It also simplifies access management by centralizing permissions in roles.
AWS Certificate Manager (ACM) is not designed for authenticating access to DynamoDB. DynamoDB relies on IAM for access control, and using certificates for this purpose would not meet the requirements for securely managing cross-account access. Additionally, this method does not support the use case of a central application accessing multiple DynamoDB tables across different accounts.
To the best of my knowledge, the answer is:
In every business account, create an IAM role named BU_ROLE with a policy that gives the role access to the DynamoDB table and a trust policy to trust a specific role in the inventory application account. In the inventory account, create a role named APP_ROLE that allows access to the STS AssumeRole API operation. Configure the application to use APP_ROLE and assume the crossaccount role BU_ROLE to read the DynamoDB table.