A company has multiple AWS accounts and has hired a third-party security auditor. The auditor has its own AWS account, and the auditor needs read-only access to all AWS resources and the logs of API activities that have occurred on AWS. How can the company meet the auditor`s requirements without comprising security in the AWS environment? Choose the correct answer from the options below.

Answer options:

A.Enable CloudTrail logging and use a cross-account IAM role to provide read-only access to the auditor on required AWS resources, including the S3 bucket containing the CloudTrail Logs.
B.Create an SNS notification that sends the CloudTrail log files to the auditor`s email when CloudTrail delivers the logs to S3, but does not allow the auditor access to the AWS environment.
C.The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to the third-party auditor.
D.Enable CloudTrail logging and create an IAM user who has the admin permissions to the required AWS resources, including the S3 bucket containing the CloudTrail logs.

Answer – A
Cross-account IAM roles allow customers to securely grant access to AWS resources in their account to a third party, like an APN Partner/auditor, while retaining the ability to control and audit who is accessing their AWS account. Besides, CloudTrail should be enabled so that the auditor can trace the API activities happening in the AWS account.
For more information, please visit the below URL: 
https://aws.amazon.com/blogs/apn/securely-accessing-customer-aws-accounts-with-cross-account-iam-roles/