Question 39
Domain 6: Management and Security GovernanceA company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort. Which solution will meet these requirements?
Correct answer: D
Explanation
AWS cross-account access uses IAM roles, and a trust policy can limit who assumes the role. The `sts:ExternalId` condition key is used to prevent the “confused deputy” problem, so “two external accounts” cannot reuse the same credentials, while still supporting console and SaaS access with short-term credentials and minimal operational effort.
Why each option is right or wrong
A. Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.
Amazon Cognito user pools are for application authentication, not cross-account AWS role trust.
B. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account.
AWS IAM Identity Center manages workforce access with permission sets, not third-party cross-account SaaS trust.
C. Create a unique IAM role for each external account. Create a trust policy. Use AWS Secrets Manager to create a random external key.
Secrets Manager stores and rotates secrets; it does not create the role trust condition needed here.
D. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:Externalld condition key.
IAM roles are the AWS mechanism that issue short-term credentials for cross-account access, and they can be assumed from the AWS Management Console or by SaaS vendors without creating long-lived keys. Under IAM trust policy evaluation, adding the `sts:ExternalId` condition key to each role’s trust relationship forces the caller to present a unique external ID, which blocks the confused-deputy scenario and prevents two different third-party accounts from reusing the same assumed-role path.