Access Control

Correct Answer: AWS Security Token Service (STS) temporary credentials

AWS Security Token Service (STS) temporary credentials can be configured for 30 minutes and provide temporary access. IAM users with time-based policies cannot precisely revoke after 30 minutes. Transfer Acceleration, Cross-Region Replication, and AWS KMS are not related to temporary access. Pre-signed URLs are for S3 object access, not the entire bucket.

Correct Answer: Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is the most appropriate access control model for this scenario. Here's why: ABAC allows for fine-grained access control based on a combination of attributes, including: 1. User attributes (e.g., role, department, clearance level) 2. Environmental conditions (e.g., time of day, location, device type) 3. Resource properties (e.g., sensitivity level, project association) This model provides the flexibility to create complex access policies that can consider multiple factors simultaneously, making it ideal for the company's requirements. Other options are less suitable: Role-Based Access Control (RBAC) with time-based restrictions is limited to roles and time factors, lacking the ability to consider resource properties and other environmental conditions. Discretionary Access Control (DAC) with conditional statements primarily focuses on object owners granting access rights, which doesn't align with the company's need for a comprehensive attribute-based approach. Mandatory Access Control (MAC) with dynamic policy adjustments is typically used in highly secure environments with strict hierarchical access levels, and doesn't offer the flexibility required for considering various attributes and conditions.

Correct Answer: Create an IAM policy with an IP address and time-based condition

Creating an IAM policy with IP address and time-based conditions will allow you to limit access to the AWS Management Console. AWS WAF, Security Groups, and NACLs do not control access to the AWS Management Console. AWS Direct Connect is mainly for network connectivity, and Trusted Advisor helps optimize resources, not access control.