🔥 3-day streak
AWS Certified CloudOps Engineer - Associate97 / 159
Question 97 of 159

A CloudOps engineer works for a SaaS monitoring vendor that must access its customers' AWS accounts to read CloudWatch metrics. Each customer creates an IAM role that trusts the vendor's AWS account and grants read-only CloudWatch access. During a security review, the engineer is warned that a malicious third party who learns a customer's role ARN could potentially trick the vendor's service into assuming that role on the attacker's behalf. Which approach should the vendor require its customers to implement to prevent this cross-account access risk?

Reviewed for accuracy · Report an issueNext question