Which solution will meet these requirements in the MOST secure manner?

SOA-C02 V5 0 Comments

A company is managing multiple AWS accounts in AWS Organizations The company is reviewing internal security of Its AWS environment The company’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts

Which solution will meet these requirements in the MOST secure manner?
A . Create an IAM policy in each developer account that has read-only access related to VPC resources Assign the policy to an IAM user Share the user credentials with the security administrator
B . Create an IAM policy in each developer account that has administrator access to all Amazon EC2 actions, including VPC actions Assign the policy to an IAM user Share the user credentials with the security administrator
C . Create an IAM policy in each developer account that has administrator access related to VPC
resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account
D . Create an IAM policy m each developer account that has read-only access related to VPC resources Assign the policy to a cross-account IAM role Ask the security administrator to assume the role from their account

Answer: D

Explanation:

To review the VPC configuration of developer AWS accounts securely, the best practice is to use cross-account IAM roles with read-only access.

Create an IAM Policy with Read-Only Access:

Navigate to the IAM console in each developer account.

Create a new policy with read-only access to VPC resources. For example:

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:DescribeVpcs",

"ec2:DescribeSubnets",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeNetworkAcls"

],

"Resource": "*"

}

]

}

Save the policy.

Create a Cross-Account IAM Role:

In the IAM console, choose "Roles" and then "Create role".

Select "Another AWS account" and enter the AWS account ID of the security administrator’s account.

Attach the read-only policy created in step 1 to the role.

Save the role and note the role ARN.

Assume the Role from the Security Administrator’s Account:

In the security administrator’s account, navigate to the IAM console.

Use the "Switch Role" option to assume the cross-account role created in the developer account using the role ARN.

The security administrator can now access the VPC configuration of the developer accounts with read-only permissions.

Reference: Cross-Account Access

Creating and Managing IAM Policies

Latest SOA-C02 Dumps Valid Version with 54 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download SOA-C02 PDF     SOA-C02 Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments