AWS Certified Solutions Architect – Professional (SAP-C02) — Question 147

A company is subject to regulatory audits of its financial information. External auditors who use a single AWS account need access to the company's AWS account. A solutions architect must provide the auditors with secure, read-only access to the company's AWS account. The solution must comply with AWS security best practices.

Which solution will meet these requirements?

Answer options

• A. In the company's AWS account, create resource policies for all resources in the account to grant access to the auditors' AWS account. Assign a unique external ID to the resource policy.
• B. In the company's AWS account, create an IAM role that trusts the auditors' AWS account. Create an IAM policy that has the required permissions. Attach the policy to the role. Assign a unique external ID to the role's trust policy.
• C. In the company's AWS account, create an IAM user. Attach the required IAM policies to the IAM user. Create API access keys for the IAM user. Share the access keys with the auditors.
• D. In the company's AWS account, create an IAM group that has the required permissions. Create an IAM user in the company's account for each auditor. Add the IAM users to the IAM group.

Correct answer: B

Explanation

Option B is correct because it allows for secure, controlled access through an IAM role, which is a best practice in AWS. It utilizes a trust relationship with the auditors' AWS account and incorporates a unique external ID for added security. Options A and C do not provide the same level of security or best practices, and option D involves creating multiple IAM users, which is less efficient and secure compared to using a role.