exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 81 discussion

A company uses AWS Organizations. The company wants to implement short-term credentials for third-party AWS accounts to use to access accounts within the company's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.

Which solution will meet these requirements?

  • A. Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.
  • B. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identity source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.
  • C. Create a unique IAM role for each external account. Create a trust policy Use AWS Secrets Manager to create a random external key.
  • D. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
IPLogic
3 days, 22 hours ago
Selected Answer: D
The best solution to meet these requirements is D. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:ExternalId condition key.
upvoted 1 times
...
723993f
1 week, 1 day ago
Selected Answer: B
why is everyone saying d, its b are we forgetting about the saas requirement ? iam roles can't help you access saas apps. identity center will be able auth each user individually using whatever idp, from there onward they can sso into saas as well as mgmt console
upvoted 1 times
...
jakie22332
4 weeks, 1 day ago
Selected Answer: B
B supports all the requirements with the LEAST operational overhead
upvoted 1 times
...
SHERLOCKAWS
10 months ago
Selected Answer: D
Explained here > https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
upvoted 2 times
...
vikasj1in
10 months, 3 weeks ago
Creating a unique IAM role for each external account allows you to grant specific permissions to each external account independently. Including a condition in the trust policy that uses the sts:ExternalId condition key allows you to enhance the trust between the accounts and prevent one external account from using the credentials intended for another external account. The sts:ExternalId condition ensures that the request is accompanied by the expected external ID, adding an extra layer of security. Options A, B, and C do not specifically address the requirement to prevent two external accounts from using the same credentials and may introduce unnecessary complexity or dependencies.
upvoted 1 times
...
WeepingMaplte
11 months, 3 weeks ago
Selected Answer: D
What is an external ID: An external ID is a unique identifier that is managed by a third-party identity provider (IdP). It's used to verify the identity of a user without requiring them to have an AWS IAM account. Creating a role with an external ID: You can create a role in your AWS account and specify an external ID source (e.g., SAML provider, OIDC provider). You can define trust relationships between the role and the external IdP. This ensures that only authorized users with the correct external ID can assume the role. You can attach IAM policies to the role to grant specific permissions to access AWS resources.
upvoted 2 times
...
kejam
1 year ago
Selected Answer: D
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
upvoted 3 times
...
Aamee
1 year ago
Selected Answer: D
C looks a bit reasonable but with a condition on the role makes it more secured so going with 'D'.
upvoted 1 times
...
[Removed]
1 year ago
Selected Answer: D
D will do it. The rest are distractors / incorrect
upvoted 2 times
...
oioi
1 year ago
Selected Answer: D
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...