AWS Certified Solutions Architect – Associate (SAA-C02) — Question 560

A company has hired an external vendor to perform work in the company's AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company's AWS account.
How should a solutions architect grant this access to the vendor?

Answer options

• A. Create a IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires.
• B. Create an IAM user in the company's account with a password that meets the password complexity requirements. Attach the appropriate IAM policies to the user for the permissions that the vendor requires.
• C. Create an IAM group in the company's account. Add the tool's IAM user from the vendor account to the group for the permissions that the vendor requires.
• D. Create a new identity provider by choosing ג€AWS accountג€ as the provider type in the IAM console. Supply the vendor's AWS account ID and user name. Attach the appropriate IAM policies to the new provider for the permissions that the vendor requires.

Correct answer: A

Explanation

The industry best practice for granting cross-account access to a third party is to use IAM roles with trust policies that delegate access to the external account's IAM role. This approach avoids the security risks of sharing long-term credentials, making options involving IAM users or groups incorrect. Additionally, "AWS account" is not a valid type when creating an identity provider in the IAM console.