AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A global enterprise maintains three separate environments for their application lifecycle: development, staging, and production. Each environment is managed through distinct cloud accounts to enhance compartmentalization. With a centralized directory service managing user credentials on-premises, which approach should be chosen to provide developers with environment-specific access, while adhering to the security principle of least privilege?
Assign credentials from the directory service to individual user accounts in each cloud environment, applying direct permissions.
Use a user identity and authentication management service suited for applications to control access to different cloud accounts.
Distribute multiple access credentials tied to a singular identity within the primary cloud account for access management.
Integrate the centralized directory service with cloud-based trust relationships and environment-specific roles for secure, limited access.
Setting up a trust relationship between the centralized directory service and cloud-based resources with specific roles dedicated for each environment is the most secure and scalable solution. This maintains a single identity for users while leveraging existing authentication mechanisms and enables appropriate, limited access to development, staging, or production resources. Direct attachment of policies to identities is less secure and scalable. Amazon Cognito is better suited for consumer application user pools and identity management. Using one cloud identity with multiple credentials is not a best practice due to security and management complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a trust relationship in the context of centralized directory services and cloud-based roles?
Open an interactive chat with Bash
How does the principle of least privilege apply when assigning roles across cloud environments?
Open an interactive chat with Bash
Why is it not recommended to use a single cloud identity with multiple shared credentials?