1. A security engineer wants to give an external auditing firm read-only access to specific AWS resources in the company's account. The auditors have their own AWS account. The company does not want to create long-term IAM credentials for the auditors. Which approach follows AWS best practices?
- A. Create an IAM user for the auditing firm, attach a read-only policy, and share the access key
- B. Create an IAM role with a read-only policy and a trust policy that allows the auditing firm's AWS account to assume it✓ Correct
- C. Enable AWS Artifact and grant the auditing firm access to download compliance reports
- D. Share the company's AWS Management Console login URL and a temporary IAM user password
Explanation
Using an IAM role with cross-account trust is the AWS-recommended pattern for granting external parties access. The auditors assume the role from their own account, receiving temporary STS credentials scoped to the read-only policy—no long-term credentials are needed. Creating an IAM user with an access key produces long-term credentials that must be managed and rotated, violating the requirement. AWS Artifact provides compliance documents, not live resource access. Sharing a console login URL and temporary password still involves long-term credentials and is not a scalable or secure practice for cross-account access.