Home › Forums › AWS › AWS Certified Solutions Architect Professional › Security Auditor Job role
Tagged: securityaudit
-
Security Auditor Job role
Carlo-TutorialsDojo updated 8 months, 2 weeks ago 2 Members · 2 Posts
-
Could the <b style=”font-family: inherit;”>Security job role: Security Auditor AWS managed policy (https://docs.aws.<wbr>amazon.com/IAM/latest/<wbr>UserGuide/access_policies_job-<wbr>functions.html#jf_security-<wbr>auditor) be a better answer for the question below? If not, can you please explain why?
Category: CSAP – Continuous Improvement for Existing Solutions
A cryptocurrency exchange company has recently signed up for a 3rd party online auditing system, which is also using AWS, to perform regulatory compliance audits on their cloud systems. The online auditing system needs to access certain AWS resources in your network to perform the audit.
In this scenario, which of the following approach is the most secure way of providing access to the 3rd party online auditing system?
1. Create a new IAM role for cross-account access which allows the online auditing system account to assume the role. Assign a policy that allows full and unrestricted access to all AWS resources.
2. Create a new IAM user and assign a user policy to the IAM user that allows only the actions required by the online audit system.
3. Create a new access and secret key for the IAM user and provide these credentials to the 3rd party auditing company.
Create a new IAM role for cross-account access which allows the online auditing system account to assume the role. Assign it a policy that allows only the actions required for the compliance audit.4. Create a new IAM user and assign a user policy to the IAM user that allows full and unrestricted access to all AWS resources. Create a new access and secret key for the IAM user and provide these credentials to the 3rd party auditing company.
-
Hello Slvrng,
Thanks for your feedback.
Whether applying the SecurityAudit Managed Policy is correct or not depends on the permissions actually needed by auditors. The SecurityAudit Managed Policy simply helps you save time in figuring out the permissions typically needed for carrying out auditing tasks. Regardless of the policies you apply, you’d still have to do the steps outlined in the correct answer.
Let me know if this answers your question.
Regards,
Carlo Acebedo
Log in to reply.