AWS Certified Solutions Architect – Associate (SAA-C02) — Question 243
A company is using a third-party vendor to manage its marketplace analytics. The vendor needs limited programmatic access to resources in the company's account. All the needed policies have been created to grant appropriate access.
Which additional component will provide the vendor with the MOST secure access to the account?
Answer options
- A. Create an IAM user.
- B. Implement a service control policy (SCP)
- C. Use a cross-account role with an external ID.
- D. Configure a single sign-on (SSO) identity provider.
Correct answer: C
Explanation
Using a cross-account role with an external ID ensures that the vendor has secure, temporary access to the resources without needing to create a permanent user in your account. This method minimizes the risk of credential leakage and allows for fine-grained permissions. The other options either provide less security or do not meet the requirement for limited programmatic access.