A company utilizes GitHub Actions for its CI/CD pipeline to access AWS resources, where an IAM user employs a secret key for AWS authentication. An existing IAM role with a policy attached is authorized to deploy resources. The security team has mandated that long-lived secret keys are no longer permissible in pipelines. A solutions architect is tasked with replacing the secret key with a short-lived solution. What is the most efficient solution with minimal operational overhead?

Exam-Like

Establish an IAM SAML 2.0 identity provider (IdP) within AWS IAM. Develop a new IAM role with a trust policy permitting the sts:AssumeRole API call. Attach the existing IAM policy to this new role. Modify GitHub to utilize SAML authentication for the pipeline.

9.1%

Set up an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS IAM. Create a new IAM role with a trust policy allowing the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. Update GitHub to assume this role for the pipeline.

54.5%

Deploy an Amazon Cognito identity pool. Configure the authentication provider to integrate with GitHub. Establish a new IAM role with a trust policy that enables the sts:AssumeRoleWithWebIdentity API call from the GitHub authentication provider. Set up the pipeline to authenticate using Cognito.

18.2%

Configure a trust anchor with AWS Private Certificate Authority. Produce a client certificate for use with AWS IAM Roles Anywhere. Generate a new IAM role with a trust policy that supports the sts:AssumeRole API call. Attach the existing IAM policy to the new role. Adjust the pipeline to utilize the credential helper tool and reference the client certificate public key to assume the new IAM role.

18.2%

AWS Certified Solutions Architect - Professional

Get started today

Comments