An enterprise wants to use a 3rd party SaaS application hosted by another AWS account. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege. There must be controls in place to ensure that any other third party cannot use the SaaS vendor`s credentials.

Answer options:

A.From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
B.Create an IAM user within the enterprise account and assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create new access and secret key for the user and provide these credentials to the SaaS provider.
C.Create an IAM role for cross-account access that allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
D.Create an IAM role for EC2 instances, assign it a policy that allows only the actions required for the Saas application to work, provide the role ARN to the SaaS provider to be used when launching their application instances.

Answer – C
When a user, a resource, an application, or any service needs to access an AWS service or resource, always prefer creating an appropriate role with the least privileged access or only required access, rather than using any other credentials such as keys.
Option A is incorrect because you should never share your access and secret keys.
Option B is incorrect because (a) when a user is created, even though it may have the appropriate policy attached to it, its security credentials are stored in the EC2 which can be compromised, and (b) creation of the appropriate role is always the better solution rather than creating a user.
Option C is CORRECT because AWS`s role creation allows cross-account access to the application to access the necessary resources. See the image and explanation below.
Many SaaS platforms can access AWS resources via Cross-account access created in AWS. If you go to Roles in your identity management, you will see the ability to add a cross-account role.
Option D is incorrect because the role is to be assigned to the application and its resources, not the EC2 instances.
For more information on the cross-account role, please visit the below URL-
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html