AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
A company utilizes GitHub Actions for its CI/CD pipeline to access AWS resources, where an IAM user employs a secret key for AWS authentication. An existing IAM role with a policy attached is authorized to deploy resources. The security team has mandated that long-lived secret keys are no longer permissible in pipelines. A solutions architect is tasked with replacing the secret key with a short-lived solution. What is the most efficient solution with minimal operational overhead?
A company utilizes GitHub Actions for its CI/CD pipeline to access AWS resources, where an IAM user employs a secret key for AWS authentication. An existing IAM role with a policy attached is authorized to deploy resources. The security team has mandated that long-lived secret keys are no longer permissible in pipelines. A solutions architect is tasked with replacing the secret key with a short-lived solution. What is the most efficient solution with minimal operational overhead?
Explanation:
The most efficient solution with minimal operational overhead is setting up an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS IAM and creating a new IAM role with the appropriate trust policy that allows the 'sts:AssumeRoleWithWebIdentity' API call from the GitHub OIDC IdP. This approach eliminates the use of long-lived credentials by leveraging the GitHub OIDC provider to obtain short-lived credentials dynamically during the CI/CD pipeline execution. This ensures compliance with the security team's requirement to avoid long-lived secret keys. Options A, C, and D either introduce additional complexity or do not align as closely with the requirement to manage short-lived credentials efficiently.