A company is working with an external vendor that requires write access to the company's Amazon Simple Queue Service (Amazon SQS) queue. The vendor has its own AWS account. What should a solutions architect do to implement least privilege access?
A.
Update the permission policy on the SQS queue to give write access to the vendor's AWS account.
B.
Create an IAM user with write access to the SQS queue and share the credentials for the IAM user.
C.
Update AWS Resource Access Manager to provide write access to the SQS queue from the vendor's AWS account.
D.
Create a cross-account role with access to all SQS queues and use the vendor's AWS account in the trust document for the role.
Attach a permission policy to a user in another AWS account – To grant user permissions to create an Amazon SQS queue, attach an Amazon SQS permissions policy to a user in another AWS account.
Cross-account permissions don't apply to the following actions:
AddPermission
CreateQueue
DeleteQueue
ListQueues
ListQueueTags
RemovePermission
SetQueueAttributes
TagQueue
UntagQueue
Solution A works, however, from the design principal of security pillar of the AWS well-architected, you should grant access via a role, not directly via security policy. So D is a better answer.
SQS policy allows cross account access where as IAM policy cant do that. This is the only difference between providing access to SQS queues through SQS policy and IAM policy.
Answer is A.
Refer url:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resource
Attach a permission policy to a user in another AWS account – To grant user permissions to create an Amazon SQS queue, attach an Amazon SQS permissions policy to a user in another AWS account.
Cross-account permissions don't apply to the following actions:
AddPermission
CreateQueue
DeleteQueue
ListQueues
ListQueueTags
RemovePermission
SetQueueAttributes
TagQueue
UntagQueue
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources:
"Attach a permission policy to a user in another AWS account – To grant user permissions to create an Amazon SQS queue, attach an Amazon SQS permissions policy to a user in another AWS account."
Answer is A
D suggests creating a cross-account role with access to all SQS queues and using the vendor’s AWS account in the trust document for the role. This option is not ideal because it grants the vendor access to all SQS queues, which goes against the principle of least privilege. The principle of least privilege means granting only the permissions necessary to perform a task and no more. In this case, the vendor only requires write access to a specific SQS queue, so granting access to all SQS queues is unnecessary and could potentially pose a security risk.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dmscountera
Highly Voted 3 years, 10 months agoElshahaly
Highly Voted 3 years, 10 months agoStud
3 years, 10 months agofrancisco_guerra
3 years, 10 months agoSkyZeroZx
Most Recent 2 years, 3 months agoYanisGTR
2 years, 5 months agoVesperia
2 years, 8 months agoPanos1313
2 years, 7 months agoLakhsmi
3 years, 4 months agosamuel1999
3 years, 8 months agoHarshul
3 years, 9 months agoHarshul
3 years, 9 months agoCotter
3 years, 9 months agoRaksim
3 years, 10 months agojkwek
3 years, 10 months agohaaris786
3 years, 10 months agoleliodesouza
3 years, 10 months agosyu31svc
3 years, 10 months agoAki110
3 years, 10 months agoSallywhite
3 years, 10 months agomassyg
3 years, 10 months agoSallywhite
3 years, 10 months agorobertomartinez
3 years, 10 months agoBATSIE
2 years, 3 months ago