AWS Certified Security – Specialty (SCS-C02) — Question 288
A company is running workloads on AWS. The workloads are in separate AWS accounts for development, testing, and production. All the company’s developers can access the development account. A subset of the developers can access the testing account and the production account.
The company is spending too much time managing individual credentials for every developer across every environment. A security engineer must implement a more scalable solution that the company can use when a developer needs different access. The solution must allow developers to access resources across multiple accounts. The solution also must minimize credential sharing.
Which solution will meet these requirements?
Answer options
- A. Use AWS Identity and Access Management Access Analyzer to identify the permissions that the developers need on each account. Configure IAM Access Analyzer to automatically provision the correct access for each developer.
- B. Create an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.
- C. Create IAM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create IAM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.
- D. Create service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.
Correct answer: C
Explanation
Option C is correct because utilizing IAM roles with cross-account trust relationships and the sts:AssumeRole API is the AWS-recommended best practice for secure, scalable cross-account delegation. Option D is incorrect because sharing access keys is a high-risk practice that directly violates the requirement to minimize credential sharing. Options A and B are incorrect because IAM Access Analyzer cannot auto-provision permissions, and Amazon SWF is a workflow orchestration service, not an access management tool.