AWS Certified Security – Specialty (SCS-C02) — Question 80

A company uses AWS Organizations. The company wants to implement short-term credentials for third-party AWS accounts to use to access accounts within the company's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.

Which solution will meet these requirements?

Answer options

• A. Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.
• B. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identity source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.
• C. Create a unique IAM role for each external account. Create a trust policy Use AWS Secrets Manager to create a random external key.
• D. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.

Correct answer: D

Explanation

Option D is correct because creating a unique IAM role for each external account with a trust policy that includes the sts:ExternalId condition key enhances security by ensuring that only the intended external account can assume the role. Option A does not focus on IAM roles or trust policies. Option B, while using AWS IAM Identity Center, does not provide the same level of isolation for external accounts. Option C lacks the necessary condition to prevent credential sharing between accounts.