AWS Certified Solutions Architect – Associate (SAA-C03) — Question 735

A company has hired an external vendor to perform work in the company’s AWS account. The vendor uses an automated tool that is hosted in an AWS account that the vendor owns. The vendor does not have IAM access to the company’s AWS account. The company needs to grant the vendor access to the company’s AWS account.

Which solution will meet these requirements MOST securely?

Answer options

• A. Create an IAM role in the company’s account to delegate access to the vendor’s IAM role. Attach the appropriate IAM policies to the role for the permissions that the vendor requires.
• B. Create an IAM user in the company’s account with a password that meets the password complexity requirements. Attach the appropriate IAM policies to the user for the permissions that the vendor requires.
• C. Create an IAM group in the company’s account. Add the automated tool’s IAM user from the vendor account to the group. Attach the appropriate IAM policies to the group for the permissions that the vendor requires.
• D. Create an IAM user in the company’s account that has a permission boundary that allows the vendor’s account. Attach the appropriate IAM policies to the user for the permissions that the vendor requires.

Correct answer: A

Explanation

Creating a cross-account IAM role is the AWS-recommended best practice for third-party access as it allows the vendor to assume the role securely using temporary credentials instead of hardcoded long-term credentials. Creating IAM users (as in options B and D) introduces unnecessary security risks associated with managing long-term credentials. Option C is incorrect because IAM groups cannot contain IAM users from external AWS accounts.