AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A multinational enterprise has separate accounts for development and production environments to enhance security and operational efficiency. Developers need to access cloud resources in the production environment sporadically to perform troubleshooting. As a solutions architect, what approach would you suggest to facilitate these occasional access requirements while maintaining stringent security controls?
Provide distinct user credentials for each developer that grant access to the necessary services in the separate environment, with a scheduled monthly rotation policy.
Implement trust relationships between the organization's accounts using roles with permissions to access necessary services, allowing for temporary credential assumption through a trusted federation.
Adjust the policies attached to resources in the separate environment to directly authorize access for identities from the development environment.
Create identically named roles with necessary permissions in both the development and separate environment accounts.
The correct approach involves setting up trust relationships between accounts by creating roles that can be assumed as needed. The idea is to provide temporary credentials that can be used within certain security parameters defined by the role’s permission policy. This enables the enterprise to control access precisely without having to manage permanent credentials for each developer for each environment, adhering to the principle of least privilege. Generating dedicated user credentials or creating shared roles in both accounts doesn't follow the best practice of using temporary credentials for cross-account access and may not meet security and audit requirements. Enabling direct access by modifying resource policies could compromise security by making the role too permissive and is not aligned with recommended security practices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are trust relationships in AWS?
Open an interactive chat with Bash
What is the principle of least privilege?
Open an interactive chat with Bash
What are temporary credentials in AWS and how do they work?