An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue
several API commands to discover Amazon EC2 resources running within the enterprise’s account The
enterprise has internal security policies that require any outside access to their environment must conform to
the principles of least privilege and there must be controls in place to ensure that the credentials used by the
SaaS vendor cannot be used by any other third party. Which of the following would meet all of these
conditions?
A.
From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and
secret key for your account.
B.
Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the
actions required by the SaaS application create a new access and secret key for the user and provide these
credentials to the SaaS provider.
C.
Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and
assign it a policy that allows only the actions required by the SaaS application.
D.
Create an IAM role for EC2 instances, assign it a policy mat allows only the actions required tor the Saas
application to work, provide the role ARM to the SaaS provider to use when launching their application
instances.
b
…the credentials used by the SaaS vendor cannot be used by any other third party.
0
0
Answer is C . As per security req vendor should not share the credentials . But in option is with IAM user credential chance is available to share credentials.
1
0
B is incorrect, because we can’t assign a policy to an IAM user.
I would go with Mutu’s thought, answer would be C
0
0
B is incorrect, but you can assign a policy to an IAM user. User is not necessarily an individual.
C is correct as it is advisable to avoid using API keys and use roles instead when necessary for security reasons
0
0
this requires a role.
0
0
100% C.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
1
0
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
0
0
c
0
0
D
0
0
Hey,
The and is C,
A, is out of home 🙂
B, We should not pass the credentials to any one even this SaaS vendor
D, If you are intended to share the IAM role ARN to this vendor , there is a chance to get access to other third party vendor.
So the right ans is C 100% sure. Since it is restricted to single account and none can access the resources in enterprise account other than this vendor even if other tries to access !!
CHEERS !!!
0
0
C
0
0
Do we have to assume here that SAAS provider is also on AWS
0
0
If that is the case
Ans should be D
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html
0
0
I think it is C
0
0
Saas application is a third party, should use a role to access to Amazon EC2, my ans is D
0
0
come on third party saas not on aws infra cannot assume iam role. C is wrong.
0
0