AWS Account Access for Third-Party Security Auditor

How to Provide Read-Only Access and API Activity Logs to an Auditor

Prev Question Next Question

Question

A company has multiple AWS accounts and has hired a third-party security auditor.

The auditor has its own AWS account, and the auditor needs read-only access to all AWS resources and the logs of API activities that have occurred on AWS.

How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below.

Answers

A. Enable CloudTrail logging and use a cross-account IAM role to provide read-only access to the auditor on required AWS resources, including the S3 bucket containing the CloudTrail Logs.

B. Create an SNS notification that sends the CloudTrail log files to the auditor`s email when CloudTrail delivers the logs to S3, but does not allow the auditor access to the AWS environment.

C. The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to the third-party auditor.

D. Enable CloudTrail logging and create an IAM user who has the admin permissions to the required AWS resources, including the S3 bucket containing the CloudTrail logs.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

Cross-account IAM roles allow customers to securely grant access to AWS resources in their account to a third party, like an APN Partner/auditor, while retaining the ability to control and audit who is accessing their AWS account.

Besides, CloudTrail should be enabled so that the auditor can trace the API activities happening in the AWS account.

For more information, please visit the below URL:

https://aws.amazon.com/blogs/apn/securely-accessing-customer-aws-accounts-with-cross-account-iam-roles/

The correct answer to this question is A. Enable CloudTrail logging and use a cross-account IAM role to provide read-only access to the auditor on required AWS resources, including the S3 bucket containing the CloudTrail Logs.

Explanation:

CloudTrail is a service provided by AWS that logs all API activity occurring in an AWS account. By enabling CloudTrail, an AWS account can monitor all API activity occurring in its account, and store the logs in an S3 bucket. These logs can be used to analyze security incidents, troubleshoot operational issues, and demonstrate compliance with various regulatory requirements.

In this scenario, the company has multiple AWS accounts and has hired a third-party security auditor who has its own AWS account. The auditor needs read-only access to all AWS resources and the logs of API activities that have occurred on AWS. To provide this access, the company should enable CloudTrail logging and use a cross-account IAM role to provide read-only access to the auditor on required AWS resources, including the S3 bucket containing the CloudTrail Logs.

A cross-account IAM role allows an AWS account to delegate access to its resources to another AWS account. By creating a cross-account IAM role, the company can grant the auditor read-only access to the required AWS resources, including the S3 bucket containing the CloudTrail logs. The auditor can then use the logs to analyze security incidents and ensure compliance with various regulatory requirements.

Option B is incorrect because sending the CloudTrail logs to the auditor's email does not provide secure access to the logs and does not meet the auditor's requirement for read-only access to all AWS resources.

Option C is incorrect because AWS does not grant access to AWS resources to third-party auditors. The company is responsible for providing the auditor with the required access to AWS resources.

Option D is incorrect because creating an IAM user with admin permissions to the required AWS resources, including the S3 bucket containing the CloudTrail logs, gives the auditor more access than required and is not a secure solution.

Prev Question Next Question