A company has a production and an audit AWS account. Auditors in the audit account need read-only access to resources in production, without creating separate long-lived credentials. What is the recommended approach?
A) Create IAM users in production and email the access keys to the auditors.
B) Create an IAM role in production that trusts the audit account, and have auditors assume it.
C) Make the production resources public so auditors can read them.
D) Share the production account root credentials with the audit team.
Correct Answer: B
Explanation: A cross-account IAM role with a trust policy allowing the audit account to sts:AssumeRole grants temporary, scoped credentials without sharing long-lived secrets. (A) and (D) spread long-lived/root credentials, a major risk. (C) exposes data publicly.