AWS Certified Security – Specialty — Question 80

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?

Answer options

• A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
• B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
• C. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
• D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.

Correct answer: B

Explanation

The correct answer is B because using an external ID helps prevent the role ARN from being guessed by other customers of AnyCompany, thus enhancing security. Options A and C do not specifically address the issue of role ARN exposure, and option D could be limiting if AnyCompany's IP addresses change or if they use dynamic IPs.