AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Set up an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS IAM. Create a new IAM role with a trust policy allowing the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. Update GitHub to assume this role for the pipeline.

The most efficient solution with minimal operational overhead is setting up an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS IAM and creating a new IAM role with the appropriate trust policy that allows the 'sts:AssumeRoleWithWebIdentity' API call from the GitHub OIDC IdP. This approach eliminates the use of long-lived credentials by leveraging the GitHub OIDC provider to obtain short-lived credentials dynamically during the CI/CD pipeline execution. This ensures compliance with the security team's requirement to avoid long-lived secret keys. Options A, C, and D either introduce additional complexity or do not align as closely with the requirement to manage short-lived credentials efficiently.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company utilizes GitHub Actions for its CI/CD pipeline to access AWS resources, where an IAM user employs a secret key for AWS authentication. An existing IAM role with a policy attached is authorized to deploy resources. The security team has mandated that long-lived secret keys are no longer permissible in pipelines. A solutions architect is tasked with replacing the secret key with a short-lived solution. What is the most efficient solution with minimal operational overhead?

Exam-Like

Last updated: March 6, 2026 at 14:03

Establish an IAM SAML 2.0 identity provider (IdP) within AWS IAM. Develop a new IAM role with a trust policy permitting the sts:AssumeRole API call. Attach the existing IAM policy to this new role. Modify GitHub to utilize SAML authentication for the pipeline.

9.1%

Set up an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS IAM. Create a new IAM role with a trust policy allowing the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. Update GitHub to assume this role for the pipeline.

54.5%

Deploy an Amazon Cognito identity pool. Configure the authentication provider to integrate with GitHub. Establish a new IAM role with a trust policy that enables the sts:AssumeRoleWithWebIdentity API call from the GitHub authentication provider. Set up the pipeline to authenticate using Cognito.

18.2%

Powered ByGPT 5.4

Configure a trust anchor with AWS Private Certificate Authority. Produce a client certificate for use with AWS IAM Roles Anywhere. Generate a new IAM role with a trust policy that supports the sts:AssumeRole API call. Attach the existing IAM policy to the new role. Adjust the pipeline to utilize the credential helper tool and reference the client certificate public key to assume the new IAM role.