AWS Certified Solutions Architect – Professional — Question 514

An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the
AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.
How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

Answer options

• A. The organization should not accept the request as sharing the credentials means compromising on security.
• B. Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.
• C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.
• D. The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization's data center.

Correct answer: C

Explanation

Creating an IAM user with read-only permissions specifically for AWS VPC adheres to the principle of least privilege by allowing the auditor to view configuration data without the ability to modify it. Option B is incorrect because granting access to all EC2 services provides broader access than necessary, and Option D is unsafe because it provides write permissions and relies on an IP restriction that would block the remote auditor. Option A is incorrect because refusing the audit is not a viable business solution when secure delegation options exist.