Best Way to Enable Partner Account Access to AWS Log Files for Analysis

Accessing Log Files in AWS for Analysis

Question

Your company has been using AWS for the past 2 years.

They have separate S3 buckets for logging the various AWS services that have been used.

They have hired an external vendor to analyze their log files.

They have their own AWS account.

What is the best way to ensure that the partner account can access the log files in the company account for analysis? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and D.

The AWS Documentation mentions the following.

To share log files between multiple AWS accounts, you must perform the following general steps.

These steps are explained in detail later in this section.

· Create an IAM role for each account that you want to share log files with.

· For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.

· Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files.

Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor are direct ‘NO' practices from a security perspective.

For more information on sharing cloudtrail logs files, please visit the following URL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html

The best way to ensure that the partner account can access the log files in the company account for analysis is by creating an IAM role in the company account with read-only access to the S3 buckets and allowing the external vendor to assume the role. Option B and D are the correct answers.

Option A, which is to create an IAM user with read-only access to the S3 buckets, is not recommended as it requires the sharing of AWS credentials with the external vendor, which poses a security risk. IAM users are meant to be used by individuals within an AWS account and should not be used for cross-account access.

Option C, which is to provide the IAM user credentials to the external vendor, is not recommended as it poses a security risk since the vendor will have access to the AWS account using the IAM user credentials.

Option B, creating an IAM role with read-only access to the S3 buckets, allows the external vendor to assume the role using their own AWS account. This approach provides better security as it does not require the sharing of AWS credentials and the vendor can only access the resources that are allowed by the IAM role.

Option D, ensuring the IAM role can be assumed by the external vendor, means that the role is configured with a trust policy that allows the external vendor's AWS account to assume the role. This ensures that only the authorized external vendor can assume the role and access the S3 buckets.

In summary, creating an IAM role with a trust policy that allows the external vendor to assume the role is the best way to ensure that the partner account can access the log files in the company account for analysis while maintaining a high level of security.