ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 81 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 81
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company uses AWS Organizations. The company wants to implement short-term credentials for third-party AWS accounts to use to access accounts within the company's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.

Which solution will meet these requirements?

  • A. Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.
  • B. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identity source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.
  • C. Create a unique IAM role for each external account. Create a trust policy Use AWS Secrets Manager to create a random external key.
  • D. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by oioi at Nov. 23, 2023, 8:45 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
IPLogic
4 months, 4 weeks ago
Selected Answer: D
The best solution to meet these requirements is D. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.
upvoted 1 times
...
723993f
5 months ago
Selected Answer: B
why is everyone saying d, its b are we forgetting about the saas requirement ? iam roles can't help you access saas apps. identity center will be able auth each user individually using whatever idp, from there onward they can sso into saas as well as mgmt console
upvoted 1 times
...
jakie22332
5 months, 3 weeks ago
Selected Answer: B
B supports all the requirements with the LEAST operational overhead
upvoted 1 times
...
SHERLOCKAWS
1 year, 2 months ago
Selected Answer: D
Explained here > https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
upvoted 2 times
...
vikasj1in
1 year, 3 months ago
Creating a unique IAM role for each external account allows you to grant specific permissions to each external account independently. Including a condition in the trust policy that uses the sts:ExternalId condition key allows you to enhance the trust between the accounts and prevent one external account from using the credentials intended for another external account. The sts:ExternalId condition ensures that the request is accompanied by the expected external ID, adding an extra layer of security. Options A, B, and C do not specifically address the requirement to prevent two external accounts from using the same credentials and may introduce unnecessary complexity or dependencies.
upvoted 1 times
...
WeepingMaplte
1 year, 4 months ago
Selected Answer: D
What is an external ID: An external ID is a unique identifier that is managed by a third-party identity provider (IdP). It's used to verify the identity of a user without requiring them to have an AWS IAM account. Creating a role with an external ID: You can create a role in your AWS account and specify an external ID source (e.g., SAML provider, OIDC provider). You can define trust relationships between the role and the external IdP. This ensures that only authorized users with the correct external ID can assume the role. You can attach IAM policies to the role to grant specific permissions to access AWS resources.
upvoted 2 times
...
kejam
1 year, 4 months ago
Selected Answer: D
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
upvoted 3 times
...
Aamee
1 year, 5 months ago
Selected Answer: D
C looks a bit reasonable but with a condition on the role makes it more secured so going with 'D'.
upvoted 1 times
...
[Removed]
1 year, 5 months ago
Selected Answer: D
D will do it. The rest are distractors / incorrect
upvoted 2 times
...
oioi
1 year, 5 months ago
Selected Answer: D
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago