ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 111 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 111
Topic #: 1
[All AWS Certified Security - Specialty Questions]

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs.
The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role.
When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account.
What steps should the Engineer perform to prevent this outcome?

  • A. Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
  • B. Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.
  • C. Require two-factor authentication by adding a condition to the role's trust policy with aws:MultiFactorAuthPresent.
  • D. Request an IP range from AnyCompany and add a condition with aws:SourceIp to the role's trust policy.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by luis12345 at March 16, 2020, 8:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kiev
Highly Voted 3 years, 8 months ago
B all the way
upvoted 11 times
...
cissp4365
Highly Voted 3 years, 8 months ago
B, https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/
upvoted 6 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: B
B (ExternalID) is the solution for this scenario.
upvoted 1 times
...
scanner2
2 years ago
Selected Answer: B
B is the right answer. External ID is like a token that needs to be provided while assuming an IAM role.
upvoted 1 times
...
ITGURU51
2 years, 3 months ago
You can use an IAM role to establish a trusted relationship between your AWS account and the Example Corp account. After this relationship is established, a member of the Example Corp account can call the AWS Security Token Service AssumeRole API to obtain temporary security credentials.
upvoted 1 times
...
jishrajesh
2 years, 6 months ago
B is correct
upvoted 2 times
...
tobedeleted
2 years, 8 months ago
I totally agree with option B. Could you please suggest on why Role Trust Policy cannot have IP range Condition as per option D? If Customer of Third Party comes from another network, its request will get rejected then. Won't it?
upvoted 2 times
...
sapien45
2 years, 11 months ago
Selected Answer: B
The confused deputy problem
upvoted 4 times
...
Radhaghosh
3 years, 5 months ago
B is valid --> External ID is required to over come confused deputy problem
upvoted 2 times
...
Larsson
3 years, 8 months ago
B is common practice, therefore it's correct.
upvoted 5 times
...
NANDY666
3 years, 8 months ago
B is Correct
upvoted 3 times
...
DanMuniz
3 years, 8 months ago
B is correct, duplicated question indeed.
upvoted 3 times
...
foreverlate88
3 years, 8 months ago
B, duplicated question
upvoted 3 times
deegadaze1
3 years, 8 months ago
Correct!
upvoted 2 times
...
...
testing4321
3 years, 8 months ago
B is right ans. "Principal": {"AWS": "Example Corp's AWS Account ID"}, "Condition": {"StringEquals": {"sts:ExternalId": "Unique ID Assigned by Example Corp"}}
upvoted 3 times
...
Awraith
3 years, 9 months ago
Sorry guys, it is answer C : sts:Externald does not exist, it is not a correct API call. However, MFA condition is correct : https://aws.amazon.com/fr/blogs/security/how-do-i-protect-cross-account-access-using-mfa-2/
upvoted 3 times
BigDaddyNeo
3 years, 7 months ago
Sorry, that is not correct. Please see link to this article. I am going with B. https://research.nccgroup.com/2019/12/18/demystifying-aws-assumerole-and-stsexternalid/
upvoted 1 times
...
droogie
3 years, 8 months ago
It's a typo. Should be ExternalID https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html
upvoted 3 times
...
...
gfhbox0083
3 years, 9 months ago
B, for sure
upvoted 1 times
...
GSH
3 years, 9 months ago
same question in previous list, answer was correct and was B here...
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel