Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

Explanations:

This option attaches the ReadOnlyAccess policy to a group in the FinanceDept account. This policy provides broader permissions than necessary, allowing access to resources beyond just billing information in the MasterPayer account. Additionally, it does not grant access to the billing information in the MasterPayer account since the users are in a different account.

Creating an IAM group in the MasterPayer account and attaching the ReadOnlyAccess policy would allow finance users to have read access to all resources in the MasterPayer account, which violates the requirement to restrict access to only billing information. This option does not meet the principle of least privilege.

This option creates an IAM role in the FinanceDept account with ViewBilling permission, but it does not allow finance staff to access billing information in the MasterPayer account. Users in the FinanceDept account cannot view billing information from the MasterPayer account unless explicitly permitted to assume a role that has access in that account.

This option correctly creates an IAM role in the MasterPayer account with the ViewBilling permission and allows finance users in the FinanceDept account to assume that role. This meets the requirement by granting the least privilege necessary for finance staff to read the consolidated billing information without providing access to any other resources in the MasterPayer account.