AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A corporation wants to enable its security team to audit resources in all of its subsidiary companies' accounts with minimum necessary permissions. What method should be recommended to facilitate this requirement while adhering to security best practices?
Apply granular resource policies across all services in each environment, allowing audit-level access.
Create distinct profiles for team members within each subsidiary's environment, assigning them individual access keys for manual rotation.
Implement a centralized identity management service, allowing the team to use roles with 'Audit' policy attachments in each of the subsidiary's environments.
Distribute the superuser credentials for each environment, restricting their use to the audit tasks.
Creating a centralized identity account with IAM Identity Center and configuring it to allow the security team to assume predefined roles with audit-level permissions is a scalable and secure approach. It enforces the principle of least privilege and simplifies the management across the organization's accounts.
Providing direct access through different user profiles in each subsidiary's account is not an efficient solution and could lead to management complications. Assigning resource-based policies on a per-service basis can create inconsistencies and lacks central management. Providing the team with root user credentials for the audit function contradicts the best practices of secure account management, where such sensitive credentials should be used sparingly and with the utmost caution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM Identity Center and how does it work?
Open an interactive chat with Bash
What are the benefits of using roles instead of user profiles for access management?
Open an interactive chat with Bash
Why is the principle of least privilege important in security management?