ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 503 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 503
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company runs an infrastructure monitoring service. The company is building a new feature that will enable the service to monitor data in customer AWS accounts. The new feature will call AWS APIs in customer accounts to describe Amazon EC2 instances and read Amazon CloudWatch metrics.

What should the company do to obtain access to customer accounts in the MOST secure way?

  • A. Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the company’s account.
  • B. Create a serverless API that implements a token vending machine to provide temporary AWS credentials for a role with read-only EC2 and CloudWatch permissions.
  • C. Ensure that the customers create an IAM user in their account with read-only EC2 and CloudWatch permissions. Encrypt and store customer access and secret keys in a secrets management system.
  • D. Ensure that the customers create an Amazon Cognito user in their account to use an IAM role with read-only EC2 and CloudWatch permissions. Encrypt and store the Amazon Cognito user and password in a secrets management system.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Piccalo at May 18, 2023, 2:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cloudenthusiast
Highly Voted 1 year, 4 months ago
Selected Answer: A
By having customers create an IAM role with the necessary permissions in their own accounts, the company can use AWS Identity and Access Management (IAM) to establish cross-account access. The trust policy allows the company's AWS account to assume the customer's IAM role temporarily, granting access to the specified resources (EC2 instances and CloudWatch metrics) within the customer's account. This approach follows the principle of least privilege, as the company only requests the necessary permissions and does not require long-term access keys or user credentials from the customers.
upvoted 15 times
...
Piccalo
Highly Voted 1 year, 4 months ago
Selected Answer: A
A. Roles give temporary credentials
upvoted 9 times
Efren
1 year, 4 months ago
Agreed . Role is the keyword
upvoted 3 times
...
...
awsgeek75
Most Recent 8 months, 2 weeks ago
Selected Answer: A
B: Sharing credentials, even temporary, is insecure C: Access and secret keys. That won't work and sharing secrets outside of account is not secure for this use case A: Keyword "trust policy" D: Again, sharing username and pwd and sharing in any way is not secure
upvoted 2 times
...
pentium75
9 months ago
Selected Answer: A
Not B (would be about access to the company's account, not the customers' accounts) Not C (storing credentials in a custom system is a big nono) Not D (Cognito has nothing to do here and "user and password" is terrible)
upvoted 3 times
...
1rob
10 months ago
Selected Answer: D
The company's infrastructure monitoring service needs to call aws API's in the MOST secure way. So you have to focus on restricting access to the APIs and there is where cognito comes in to play.
upvoted 2 times
awsgeek75
8 months, 3 weeks ago
Are you suggesting to restrict CloudWatch API with Cognito roles?
upvoted 2 times
...
pentium75
9 months ago
What is unsecure with A?
upvoted 2 times
1rob
8 months, 3 weeks ago
The company runs an infrastructure monitoring service. Nowhere is stated that this service lives in an aws account. So A and C I wouldn't choose. B is a bit too vague. So I end up with D.
upvoted 1 times
...
...
...
Guru4Cloud
1 year, 1 month ago
Selected Answer: A
A is the most secure approach for accessing customer accounts. Having customers create a cross-account IAM role with the appropriate permissions, and configuring the trust policy to allow the monitoring service principal account access, implements secure delegation and least privilege access.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago