ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 126 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 126
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

An AWS partner company is building a service in AWS Organizations using its organization named org1. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2. The company must establish least privilege security access using an API or command line tool to the customer account.

What is the MOST secure way to allow org1 to access resources in org2?

  • A. The customer should provide the partner company with their AWS account access keys to log in and perform the required tasks.
  • B. The customer should create an IAM user and assign the required permissions to the IAM user. The customer should then provide the credentials to the partner company to log in and perform the required tasks.
  • C. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN) when requesting access to perform the required tasks.
  • D. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including the external ID in the IAM role’s trust policy, when requesting access to perform the required tasks.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dev112233xx
Highly Voted 1 year, 10 months ago
Selected Answer: D
D Well.. "external ID" is the keyword that you should look for in such scenario.
upvoted 5 times
...
d401c0d
Most Recent 6 days, 19 hours ago
Selected Answer: D
D. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including the external ID in the IAM role’s trust policy, when requesting access to perform the required tasks. A - that is just hilarious and should not be the case.
upvoted 1 times
...
amministrazione
5 months, 1 week ago
D. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including the external ID in the IAM role’s trust policy, when requesting access to perform the required tasks.
upvoted 1 times
...
career360guru
1 year, 1 month ago
Selected Answer: D
Option D is most secure.
upvoted 1 times
...
atirado
1 year, 1 month ago
Selected Answer: D
Sharing credentials will always be a bad idea. In comparison to C and D, options A and B are insecure. The reason D is the most secure option compared to C is because it addresses the confused deputy problem - https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
upvoted 2 times
...
NikkyDicky
1 year, 7 months ago
Selected Answer: D
it's D, but private link would be a better choice
upvoted 3 times
...
mfsec
1 year, 10 months ago
Selected Answer: D
With the external ID.
upvoted 2 times
...
God_Is_Love
1 year, 11 months ago
Selected Answer: D
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": "Example Corp's AWS Account ID" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "1122334455-The ID that only Third party and customer knows" } } } }
upvoted 3 times
...
Musk
2 years ago
Selected Answer: D
Easy. The external ID is for sure the winner.
upvoted 1 times
...
zozza2023
2 years ago
Selected Answer: D
D seems the correct answer
upvoted 2 times
...
Untamables
2 years ago
Selected Answer: D
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html
upvoted 2 times
...
masetromain
2 years ago
Selected Answer: D
The correct answer is D. This is the most secure way to allow org1 to access resources in org2 because it allows for least privilege security access. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN) and include the external ID in the IAM role’s trust policy when requesting access to perform the required tasks. This ensures that the partner company can only access the resources that it needs and only from the specific customer account. Option A and B both involve providing the partner company with credentials, which can be easily compromised and could lead to a security breach. Option C also provides the partner company with an IAM role, but it doesn't have any restrictions on when and where the partner company can access the resources in customer account, it could be a security risk.
upvoted 3 times
...
zhangyu20000
2 years ago
D is correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago