In cross-account design, which practice best manages identities and access?

Sharpen your skills for the AWS Certified Solutions Architect Professional Exam. Dive into flashcards, multiple choice questions, each with detailed explanations and hints. Perfect your knowledge and get ready to ace the AWS exam!

Multiple Choice

In cross-account design, which practice best manages identities and access?

Explanation:
Managing identities and access across multiple AWS accounts works best when authentication is centralized and access to each account is granted only as needed. A centralized identity provider with Single Sign-On and cross-account roles lets users authenticate once, obtain temporary credentials via STS, and assume specific roles in the target accounts. This setup enforces least-privilege permissions—each role grants only the permissions needed for the task and only for a limited time—and can require MFA before role assumption, adding an extra layer of security. It also minimizes credential proliferation and avoids sharing credentials across accounts while giving you a clear audit trail of who accessed what and when. Using separate IAM users in each account creates credential sprawl and complicates governance, since each account would need its own lifecycle management, policies, and MFA enforcement. Relying on MFA being disabled or sharing credentials across accounts is insecure and undermines traceability. A local user database for each service lacks central control and does not scale well for multi-account environments. By contrast, a centralized IdP with SSO and cross-account roles aligns with AWS best practices for scalable, secure, and auditable access across multiple accounts.

Managing identities and access across multiple AWS accounts works best when authentication is centralized and access to each account is granted only as needed. A centralized identity provider with Single Sign-On and cross-account roles lets users authenticate once, obtain temporary credentials via STS, and assume specific roles in the target accounts. This setup enforces least-privilege permissions—each role grants only the permissions needed for the task and only for a limited time—and can require MFA before role assumption, adding an extra layer of security. It also minimizes credential proliferation and avoids sharing credentials across accounts while giving you a clear audit trail of who accessed what and when.

Using separate IAM users in each account creates credential sprawl and complicates governance, since each account would need its own lifecycle management, policies, and MFA enforcement. Relying on MFA being disabled or sharing credentials across accounts is insecure and undermines traceability. A local user database for each service lacks central control and does not scale well for multi-account environments. By contrast, a centralized IdP with SSO and cross-account roles aligns with AWS best practices for scalable, secure, and auditable access across multiple accounts.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy