Q22 — AWS SOA-C02 Ch.1

Question 22 of 100 | ← Chapter 1

A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing the internal security of its AWS environment. The company’s security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts. Which solution will meet these requirements in the MOST secure manner?

Correct Answer: D. Create an IAM policy in each developer account that has read-only access related to VPC resources. Assign the policy to a cross-account IAM role. Ask the security administrator to assume the role from their account.

Explanation

AWS Organizations中管理多账户时,跨账户访问的最佳实践是通过IAM角色而非共享用户凭证。IAM角色无需长期凭证,通过临时安全令牌增强安全性。AWS文档强调最小权限原则,仅授予完成任务所需的最低权限。选项D使用跨账户IAM角色并分配只读VPC权限,确保安全管理员仅能查看配置,无法修改资源。选项A和B依赖用户凭证共享,存在泄露风险;选项C授予管理员权限超出审查需求。跨账户角色与最小权限结合符合安全最佳实践。