Your company runs a successful medical sampling application onto the AWS cloud and uses various AWS services like EC2, EBS, S3, DynamoDB, etc. Due to their business nature, they have an internal audit and compliance team that regularly audits the security posture and takes up various compliance-related activities on a strict basis. The management has decided to go for an external tool to add to the internal auditing process. The management has decided to use a 3rd-party tool that helps them quickly do the auditing and compliance scanning and generate reports.

Answer options:

A.The security team is correct, and you do not need any extra security to verify the access.
B.The auditing team is correct, and you can use the External Id to secure the access further.
C.Use the OwnerId and ExternalId with the AssumeRole API.
D.Use the ExternalId with the AssumeRole API.
E.You do not need to modify the IAM policy to add the ExternalId condition.

Answers: B and D
Option A is INCORRECT because it is advisable to use the ExternalId to secure your AssumeRole calls further. This feature is only available via the CLI and API and not via the console.
Option B is CORRECT because the auditing team is correct, and the AssumeRole can be further secure down with the use of ExternalId while giving access to the external tools.
Option C is INCORRECT because it’s just the ExternalId and not the OwnerId which you can pass along the AssumeRole API.
Option D is CORRECT because you can use the ExternalId parameter while making the AssumeRole API call.
Option E is INCORRECT because if the cross-account role is set with the ExternalId, the policy should be modified to add the ExternalId.