AWS Certified Security - Specialty (#50)

The Accounting department at Example Corp. has made a decision to hire a third-party firm, AnyCompany, to monitor Example Corp.'s AWS account to help optimize costs. The Security Engineer for Example Corp. has been tasked with providing AnyCompany with access to the required Example Corp. AWS resources. The Engineer has created an IAM role and granted permission to AnyCompany's AWS account to assume this role. When customers contact AnyCompany, they provide their role ARN for validation. The Engineer is concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account. What steps should the Engineer perform to prevent this outcome?

Create an IAM user and generate a set of long-term credentials. Provide the credentials to AnyCompany. Monitor access in IAM access advisor and plan to rotate credentials on a recurring basis.
Request an external ID from AnyCompany and add a condition with
sts:Externald
to the role's trust policy.
Require two-factor authentication by adding a condition to the role's trust policy with
aws:MultiFactorAuthPresent.
Request an IP range from AnyCompany and add a condition with
aws:SourceIp
to the role's trust policy.