Explanation:
The standard and most secure way to provide cross-account access in AWS is by using IAM roles and the sts:AssumeRole action. This avoids the use of long-term credentials (like static keys in option D). Option C is less common for DynamoDB compared to role assumption for cross-account access. Option A describes an incorrect usage of iam:PassRole.
Ultimate access to all questions.
Question 26. A company has a multi-account environment. Account A has a production application that is hosted on an Amazon EC2 instance. The application needs to query data in an Amazon DynamoDB table that is hosted in Account B. A SysOps administrator needs to provide the EC2 instance in Account A with access to the DynamoDB table in Account B. What is the MOST secure solution that will meet these requirements?
A
Update the IAM policy that is attached to the EC2 instance's IAM role to allow the dynamodb:Query permission on the DynamoDB table in Account B. Add a policy in Account A to allow the DynamoDB service principal to use the PassRole action to pass the role to Account B.
B
In Account B, create an IAM role that has permission to query the DynamoDB table. Add the EC2 instance's IAM role to the trust policy on the newly created IAM role in Account B. Update the IAM policy that is attached to the EC2 instance's IAM role to allow the sts:AssumeRole permission on the newly created IAM role in Account B.
C
Update the IAM policy that is attached to the EC2 instance's IAM role to allow the dynamodb:Query permission on the DynamoDB table in Account B. Update the DynamoDB table's resource policy to allow the query action from the EC2 instance's IAM role.
D
In Account B, create a static IAM key that has the appropriate permissions to query the DynamoDB table. Embed these credentials into the credentials file on the EC2 instance. Reference the credentials every time the application needs to query the table.
E
None
F
None
No comments yet.