exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 870 discussion

A company has two AWS accounts: Production and Development. The company needs to push code changes in the Development account to the Production account. In the alpha phase, only two senior developers on the development team need access to the Production account. In the beta phase, more developers will need access to perform testing.

Which solution will meet these requirements?

  • A. Create two policy documents by using the AWS Management Console in each account. Assign the policy to developers who need access.
  • B. Create an IAM role in the Development account. Grant the IAM role access to the Production account. Allow developers to assume the role.
  • C. Create an IAM role in the Production account. Define a trust policy that specifies the Development account. Allow developers to assume the role.
  • D. Create an IAM group in the Production account. Add the group as a principal in a trust policy that specifies the Production account. Add developers to the group.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
FlyingHawk
2 months, 2 weeks ago
Selected Answer: C
1. Creating an IAM role in the Production account with a trust relationship to the Development account. 2. Grant the sts:AssumeRole permission to the specific developers (or groups) who need access to the Production account. 3. During the beta phase, you can easily add more developers to the IAM group or policy in the Development account that allows them to assume the role in the Production account. 4. In the Alpha phase, grant AssumeRole Permission to the groups of Two Senior Developers only
upvoted 2 times
...
LeonSauveterre
3 months ago
Selected Answer: C
A - We need secure cross-account access between the Development and Production accounts. Option A did nothing about that. B - This setup violates the AWS best practice for cross-account access, which recommends creating roles in the account being accessed (aka Production env). C - As more developers need access, you can grant permissions in the Development account without modifying the role in Production. Also, access is granted through temporary credentials generated when the role is assumed, reducing the risk of long-term credential exposure. D - Groups cannot establish trust between accounts. It didn't provide any mechanism for Development account users to access the Production account.
upvoted 2 times
LeonSauveterre
3 months ago
To "assume" a role in AWS means that you (a developer) temporarily take on the permissions associated with that role. This is done using the AWS Security Token Service (STS), which generates temporary credentials. Brief steps of option C: 1. Sets up a trust policy that allows entities from the Development account to assume the role. Attaches permissions for the required resources (in this case, access to specific services). 2. Attach an IAM policy to your user or role, allowing you to call "sts:AssumeRole". 3. Assume the role by doing this: aws sts assume-role \ --role-arn "arn:aws:iam::PRODUCTION_ACCOUNT_ID:role/ROLE_NAME" \ --role-session-name "MySessionName" 4. Use the temporary credentials to access the resources in the Production account during the session duration.
upvoted 1 times
...
...
AMEJack
4 months ago
Selected Answer: C
It should be C, groups can't be used in trust policy.
upvoted 2 times
...
Mayank0502
8 months, 3 weeks ago
Selected Answer: D
answer should be D
upvoted 1 times
...
f07ed8f
10 months, 1 week ago
Selected Answer: C
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
upvoted 3 times
...
TwinSpark
10 months, 2 weeks ago
Selected Answer: D
Weird question, but D is actually the only one that allow you to select which developer got access and when, so will go for D
upvoted 1 times
KennethNg923
9 months, 2 weeks ago
Agree, as C will let any developers assume the role without control
upvoted 1 times
KennethNg923
9 months, 2 weeks ago
I check here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html, and yes it should be use IAM role, I correct my choice to C
upvoted 4 times
...
...
...
03beafc
11 months, 1 week ago
Selected Answer: A
you can't assign groups as principals, b and c don't specify only the senior devs, a is the only one that works here
upvoted 1 times
03beafc
11 months, 1 week ago
edit, none of these answers are right....
upvoted 1 times
...
...
Mikado211
11 months, 2 weeks ago
Selected Answer: D
If you want ALL the developers to assume the role in the production, then C using a trust policy to assume the role in production is perfect BUT You could allow users in development account to assume the role in production, but in the end you will maintain potentially a big trust policy depending of the total number of users. Here you want only some developers to connect to the production (others will follow without knowing if they all can connect and without knowing the number) so managing a separate group will give you a little more maintenance but will allow you to have different rights between the users. I'd say D
upvoted 1 times
...
802c4ff
11 months, 2 weeks ago
Selected Answer: C
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
upvoted 3 times
...
xBUGx
12 months ago
Selected Answer: D
i think D is better
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago