A company needs to grant a third-party vendor access to an S3 bucket in its AWS account. The vendor will access the bucket from their own AWS account. What is the MOST secure way to grant this access?

Answer options:

Create an IAM user for the vendor and email them the access keys.

Create an IAM role in the company's account with a trust policy allowing the vendor's account to assume it, and require an External ID.

Make the S3 bucket public and give the vendor the URL.

Use AWS Resource Access Manager (RAM) to share the S3 bucket.

How to approach this question

Identify the best practice for third-party cross-account access, which involves IAM roles and External IDs.

B.Create an IAM role in the company's account with a trust policy allowing the vendor's account to assume it, and require an External ID.✓ Correct

Create an IAM role in the company's account with a trust policy allowing the vendor's account to assume it, and require an External ID.

Using an IAM role with an External ID is the AWS recommended way to grant a third party access to your AWS resources securely.

Forgetting that External IDs are crucial for third-party cross-account roles.

65 questions · hints · full answers · grading