AWS Certified Security – Specialty — Question 284

A company is outsourcing its operational support to an external company. The company's security officer must implement an access solution for delegating operational support that minimizes overhead.
Which approach should the security officer take to meet these requirements?

Answer options

• A. Implement Amazon Cognito identity pools with a role that uses a policy that denies the actions related to Amazon Cognito API management. Allow the external company to federate through its identity provider.
• B. Federate AWS Identity and Access Management (IAM) with the external company's identity provider. Create an IAM role and attach a policy with the necessary permissions.
• C. Create an IAM group for the external company. Add a policy to the group that denies IAM modifications. Securely provide the credentials to the external company.
• D. Use AWS SSO with the external company's identity provider. Create an IAM group to map to the identity provider user group, and attach a policy with the necessary permissions.

Correct answer: B

Explanation

Federating AWS IAM with the external company's identity provider (IdP) is the standard, secure way to grant third-party access with minimal overhead because it avoids the need to manage individual IAM credentials. Option B is correct because it allows external users to assume an IAM role with the precise permissions required for their operational tasks. Option C is incorrect because managing and sharing IAM credentials increases administrative overhead and security risks, while Option A is incorrect because Amazon Cognito is intended for customer-facing applications rather than AWS infrastructure management.