Answer - B
The AWS Documentation mentions the following.
Cross-account IAM roles allow customers to securely grant access to AWS resources in their account to a third party, like an APN Partner, while retaining the ability to control and audit who is accessing their AWS account. Cross-account roles reduce the amount of sensitive information APN Partners need to store for their customers so that they can focus on their product instead of managing keys.
Using an IAM user to control 3rd party access involves handing over an Access Key/Secret Key - this is the simple "access badge."
Using AssumeRole to control 3rd party access uses the same information plus a security token. To assume a role, your AWS account must be trusted by the role. The trust relationship is defined in the role`s trust policy when the role is created. This is the "access badge with fingerprint validation."
Anyone can use the IAM keys - they`re just a key pair. Anyone can take them and use them later on, and you would not be able to be identified from the trusted party they were given to. To use the AssumeRole, you must be first authenticated as the trusted entity, and in the case of temporary credentials, use them while they haven`t expired. These extra security features are what make it more secure.
Typically, you use
AssumeRole
for cross-account access.
Options A and C are incorrect since it is not secured as IAM users and IAM group (a set of users) will be given permissions just like giving keys to them without extra security token.
Option D is incorrect since IAM Profile doesn’t exist in AWS.
For more information on cross-account roles, please refer to the below URLs-
https://aws.amazon.com/blogs/apn/securely-accessing-customer-aws-accounts-with-cross-account-iam-roles/
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html