Which solution will meet these requirements in the MOST secure manner?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A company is managing multiple AWS accounts in AWS Organizations.The company is reviewing internal security of its AWS environment.The company’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.

Which solution will meet these requirements in the MOST secure manner?

Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to an IAM user. Share the user credentials with the security administrator.

Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.

Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

Explanations:

While this option provides read-only access to VPC resources, sharing user credentials poses a security risk, as it violates the principle of least privilege and could lead to unauthorized access.

This option grants administrator access to all EC2 actions, which includes more permissions than necessary for reviewing VPC configurations. Sharing credentials increases the risk of misuse and is not a secure practice.

Although this option creates an IAM role with administrator access related to VPC resources, it grants excessive permissions for the specific need of reviewing VPC configurations, violating the principle of least privilege.

This option creates a cross-account IAM role with read-only access to VPC resources, which adheres to the principle of least privilege. It allows the security administrator to assume the role securely without sharing credentials, thus maintaining a more secure environment.

2025-09-30

1 Comment

  1. Marilyn
    Author

    In my opinion, the answer is:
    Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × five =