AWS Certified Security – Specialty (SCS-C02) — Question 244

A consultant agency needs to perform a security audit for a company’s production AWS account. Several consultants need access to the account. The consultant agency already has its own AWS account.

The company requires multi-factor authentication (MFA) for all access to its production account. The company also forbids the use of long-term credentials.

Which solution will provide the consultant agency with access that meets these requirements?

Answer options

• A. Create an IAM group. Create an IAM user for each consultant. Add each user to the group. Turn on MFA for each consultant.
• B. Configure Amazon Cognito on the company’s production account to authenticate against the consultant agency’s identity provider (IdP). Add MFA to a Cognito user pool.
• C. Create an IAM role in the consultant agency’s AWS account. Define a trust policy that requires MFA. In the trust policy, specify the company’s production account as the principal. Attach the trust policy to the role.
• D. Create an IAM role in the company’s production account. Define a trust policy that requires MFA. In the trust policy, specify the consultant agency’s AWS account as the principal. Attach the trust policy to the role.

Correct answer: D

Explanation

The correct answer, D, allows the consultants to assume a role in the company's production account that requires MFA, thus meeting the required security standards without using long-term credentials. Option A fails because creating IAM users does not align with the company's prohibition on long-term credentials. Option B is not suitable as it involves setting up a different authentication method instead of directly granting access through the AWS account. Option C is incorrect because it establishes a role in the consultant agency's account instead of the company's production account, which does not fulfill the requirement.