Correct Answers: C and E.
Option A is incorrect.
The principle of “Grant Least Privilege” suggests providing least & granular access to any User for accessing AWS services.
This will help enhance security of the system and prevent users from performing malicious / accidental tasks within the AWS environment that may compromise the system.
Option B is incorrect.
It's always best to see what kind of access the user requires.
If a user does not use the Command Line Interface (CLI), it's best to avoid giving him access to Access Keys.
SImilarly, if an user only uses the CLI for development, he should be prohibited from accessing the AWS admin console using a password.
Option C is CORRECT.
Roles provide temporary access to AWS services & they dont require to share the Access Keys.
A role that is created may be assigned a definite set of permissions for accessing different services.
The service that uses the role actually assumes the role with which it can perform actions on another service.
This way, we can induce granular permissions as well as prevent long lived Access Keys from being compromised.
Option D is incorrect.
Cross account access are scenarios where users in one Account would like to access services of other Accounts.
Eg An user may use AWS Partner solutions to interact with a Customer's Account for monitoring it or do some orchestration.
Access keys are long lived credentials for which the AWS Partner must ensure to manage those keys by rotating them frequently to avoid them from being compromised.
Roles defined with temporary access permissions when given to the user for accessing the Customer's account will be a best practice here without having to provide Access keys.
Option E is CORRECT.
Root accounts that are created should have their Access Keys locked to prevent compromising them.
Root Accounts have complete Access Privileges to access different AWS resources.
The best practice will be to create an IAM User, Assign required permissions & login as that user for accessing AWS services.
