Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 81 discussion

Explained here > https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

Creating a unique IAM role for each external account allows you to grant specific permissions to each external account independently. Including a condition in the trust policy that uses the sts:ExternalId condition key allows you to enhance the trust between the accounts and prevent one external account from using the credentials intended for another external account. The sts:ExternalId condition ensures that the request is accompanied by the expected external ID, adding an extra layer of security. Options A, B, and C do not specifically address the requirement to prevent two external accounts from using the same credentials and may introduce unnecessary complexity or dependencies.

What is an external ID: An external ID is a unique identifier that is managed by a third-party identity provider (IdP). It's used to verify the identity of a user without requiring them to have an AWS IAM account. Creating a role with an external ID: You can create a role in your AWS account and specify an external ID source (e.g., SAML provider, OIDC provider). You can define trust relationships between the role and the external IdP. This ensures that only authorized users with the correct external ID can assume the role. You can attach IAM policies to the role to grant specific permissions to access AWS resources.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

C looks a bit reasonable but with a condition on the role makes it more secured so going with 'D'.

D will do it. The rest are distractors / incorrect

correct