AWS best practices strongly discourage the use of long-term credentials and recommend cross-account IAM roles with temporary credentials for third-party access. According to the AWS Certified Security – Specialty Study Guide, creating an IAM role in the resource-owning account and allowing a trusted external AWS account to assume that role is the recommended pattern for external access.
By creating the IAM role in the company’s production account and specifying the consultant agency’s AWS account as the trusted principal, the company retains full control over permissions. The trust policy can enforce MFA by using the aws:MultiFactorAuthPresent condition key, ensuring that all access requires MFA. Access is granted through AWS Security Token Service (STS), which issues short-lived credentials.
Option A violates the requirement to avoid long-term credentials. Option B is designed for application user authentication, not AWS account access. Option C incorrectly places the role in the consultant’s account, reducing the company’s control over access.
This solution satisfies MFA enforcement, eliminates long-term credentials, and aligns with AWS third-party access best practices.
Referenced AWS Specialty Documents:
AWS Certified Security – Specialty Official Study Guide
AWS IAM Cross-Account Access
AWS STS and MFA Enforcement
