The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.’s AWS account to help optimize costs. The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany’s AWS account to assume this role. When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany’s other customers might deduce Example Corp.’s role ARN and potentially compromise the company’s account. What steps should the Engineer perform to prevent this outcome?

Topic #: - All AWS Certified Security - Specialty Questions

A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role’s trust policy.
C. Require two-factor authentication by adding a condition to the role’s trust policy with aws:MultiFactorAuthPresent.
D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role’s trust policy.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Share this post

Join the Discussion