Learn how to securely review VPC configurations across multiple AWS accounts using cross-account IAM roles and read-only permissions, ensuring adherence to the principle of least privilege.
Table of Contents
Question
A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?
A. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to an IAM user. Share the user credentials with the security administrator.
B. Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions. Assign the policy to an IAM user. Share the user credentials with the security administrator.
C. Create an IAM policy in each developer account that has administrator access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
Answer
D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.
Explanation
- Creating an IAM policy with read-only access to VPC resources in each developer account aligns with the principle of least privilege, ensuring that the security administrator can only review the VPC configuration without modifying it.
- Assigning this policy to a cross-account IAM role allows the security administrator to assume the role from their account, eliminating the need to share long-term credentials.
- By assuming the cross-account role, the security administrator can securely and temporarily access the VPC resources in the developer accounts without having direct access to the accounts.
- This solution follows the best practice of not sharing permanent credentials and granting only the necessary permissions required for the specific task.
The other options are less secure because:
A. Sharing IAM user credentials with the security administrator is a security risk, as it violates the principle of least privilege and can potentially lead to unauthorized access or misuse of credentials. B. Granting administrator access to all Amazon EC2 actions, including VPC actions, violates the principle of least privilege and gives the security administrator more permissions than necessary. C. Assigning an IAM policy with administrator access to VPC resources to a cross-account role violates the principle of least privilege and grants more permissions than necessary for reviewing the VPC configuration.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.