Which solution will meet these requirements?
In the company’s AWS account, create resource policies for all resources in the account to grant access to the auditors’ AWS account. Assign a unique external ID to the resource policy.
In the company’s AWS account, create an IAM role that trusts the auditors’ AWS account. Create an IAM policy that has the required permissions. Attach the policy to the role. Assign a unique external ID to the role’s trust policy.
In the company’s AWS account, create an IAM user. Attach the required IAM policies to the IAM user. Create API access keys for the IAM user. Share the access keys with the auditors.
In the company’s AWS account, create an IAM group that has the required permissions. Create an IAM user in the company’s account for each auditor. Add the IAM users to the IAM group.
Explanations:
While creating resource policies could provide access to the auditors’ AWS account, it would require implementing policies on every individual resource, which is not scalable and violates the principle of least privilege. Additionally, resource policies do not support external IDs, which are better handled through IAM roles.
This solution follows AWS security best practices by creating an IAM role that the auditors’ AWS account can assume. The trust policy allows the auditors’ account to assume the role, and attaching a unique external ID enhances security by preventing the “confused deputy” problem. The IAM policy can be scoped to grant only the necessary read-only permissions.
Creating an IAM user and sharing access keys is not a secure practice, as it can lead to credential leakage. Access keys can be compromised, and IAM users do not provide the flexibility or security that IAM roles do for cross-account access. Furthermore, it does not utilize an external ID, which is recommended for added security.
Creating individual IAM users for each auditor is not scalable and introduces management overhead. It also does not provide the flexibility of assuming roles across accounts. While IAM groups can simplify permission management, this approach does not incorporate best practices for secure cross-account access, such as using external IDs or role assumption.
I estimate that the answer is:
In the company’s AWS account, create an IAM role that trusts the auditors’ AWS account. Create an IAM policy that has the required permissions. Attach the policy to the role. Assign a unique external ID to the role’s trust policy.