AWS Certified Solutions Architect – Associate (SAA-C02) — Question 297

A company is working with an external vendor that requires write access to the company's Amazon Simple Queue Service (Amazon SQS) queue. The vendor has its own AWS account.
What should a solutions architect do to implement least privilege access?

Answer options

• A. Update the permission policy on the SQS queue to give write access to the vendor's AWS account.
• B. Create an IAM user with write access to the SQS queue and share the credentials for the IAM user.
• C. Update AWS Resource Access Manager to provide write access to the SQS queue from the vendor's AWS account.
• D. Create a cross-account role with access to all SQS queues and use the vendor's AWS account in the trust document for the role.

Correct answer: A

Explanation

Updating the resource-based permission policy on the specific Amazon SQS queue is the most secure way to grant cross-account write access while adhering to the principle of least privilege. Sharing IAM user credentials violates security best practices, AWS Resource Access Manager does not support Amazon SQS sharing, and granting access to all queues via a cross-account role provides far more access than necessary.