Question 267:
There are several DynamoDB tables in your AWS account. A third-party AWS account needs to read the data in the tables for audit purposes. You are configuring a cross-account IAM role, and IAM entities in the third party account can assume the role through the sts:AssumeRole API to access AWS resources. In the meantime, there may be a Confused Deputy problem which is that another user uses your role ARN to gain access to your AWS resources by way of the third party. How would you prevent the Confused Deputy problem in this scenario?
Answer options:
A.Configure an identity pool in AWS Cognito in your AWS account. Assign a token for your IAM role and ask the third party to include the token when it assumes your IAM role.
B.Ensure that only the third party’s AWS account ID is included in the principal field of the cross-account IAM role such as "Principal": {"AWS": "Third party`s AWS Account ID"}.
C.Ask the third party for an external ID that it includes when it assumes the IAM role. Check the external ID in the role`s trust policy.
D.In the trust policy of the cross-account IAM role, add a condition that the account ID in sts:AssumeRole must be the third party’s AWS account.