A company wants to grant users in one AWS account access to resources in another AWS account. The users do not currently have permission to access the resources.
Which AWS service will meet this requirement?
A company wants to grant users in one AWS account access to resources in another AWS account. The users do not currently have permission to access the resources.
Which AWS service will meet this requirement?
To grant users in one AWS account access to resources in another AWS account, the appropriate service to use is an IAM role. IAM roles allow you to set up trust relationships between different AWS accounts and provide temporary permissions to users so they can access resources in the target account. This is commonly used for cross-account access scenarios.
A. IAM group: Containers for IAM users. They are used to simplify the management of IAM policies by allowing you to attach policies to a group and automatically apply those policies to all users in the group. However, IAM groups are not directly used for cross-account access. B. IAM role: Are used to delegate permissions to users, applications, or services. In the context of cross-account access, you can create an IAM role in the target account and define policies that grant access to the necessary resources. Users in the source account can assume the role to access resources in the target account. IAM roles are commonly used for cross-account access scenarios. C. IAM tag: Are metadata that you can assign to IAM users, groups, roles, and policies. While tags are useful for organizing and managing resources, they are not the primary mechanism for granting cross-account access. D. IAM Access Analyzer: A tool that helps identify resources that are shared with an external entity or are publicly accessible. It is used for analyzing access across accounts, but not specifically for setting up cross-account access.
"You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account."
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
Since there are many users that need access, shouldn't a group be created and include those users in the group and then grant to the group the role?
I think it is also better for the trusted account to use STS AssumeRole API call to assume the role with temporary credentials
B. IAM role: Are used to delegate permissions to users, applications, or services. In the context of cross-account access, you can create an IAM role in the target account and define policies that grant access to the necessary resources. Users in the source account can assume the role to access resources in the target account. IAM roles are commonly used for cross-account access scenarios.
B. IAM Role
IAM role
IAM Role