A security team needs to grant external auditors temporary access to specific cloud servers for a one-week audit. Company policy dictates that access must follow the principle of least privilege and be revoked automatically after the audit. Which of the following privileged access management (PAM) techniques BEST meets these requirements?
Provision non-expiring API keys restricted to the auditors' IP addresses.
Issue a shared password that provides access to all necessary servers.
Create permanent, role-based accounts for each member of the audit team.
Implement ephemeral credentials that expire after the audit period.
Implementing ephemeral credentials is the best solution as they are, by definition, temporary and designed to expire after a short, predefined period. This directly aligns with the policy requirement for access to be automatically revoked after the audit. This approach embodies the principles of Just-in-Time (JIT) access and least privilege by providing access only for the duration it is needed. Permanent accounts create a standing privilege that increases the attack surface, which is against security best practices. Shared passwords eliminate individual accountability and are a poor security practice. Non-expiring API keys, even if IP-restricted, violate the policy for temporary access and create a persistent security risk if compromised.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a time-restricted access token?
Open an interactive chat with Bash
Why are shared credentials considered insecure?
Open an interactive chat with Bash
How do time-restricted access tokens compare to API keys for temporary access?