Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 428 discussion

In the soltion C the EC2 istance is missing. I have to assume that it is reference to the EC2 istance.

B and C together could be part of the solution, but they still don't fully address the requirement because the Kinesis stream needs a resource-based policy to grant permission for cross-account access. Hence I feel AE will be answer.

Selectec Answer: BC To allow an EC2 instance in one account (Account A) to access a Kinesis stream in another account (Account B), you need cross-account access. This is achieved by: Creating an IAM role in Account B: This role will have the necessary Kinesis read permissions. Adding a trust policy: This policy, added to the role in Account B, allows the EC2 instance's IAM role (in Account A) to assume the role in Account B. The EC2 instance's role then acts as a temporary security credential for accessing the Kinesis stream in Account B.

create iam role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListStreams" ], "Resource": "arn:aws:kinesis:<region>:<AccountB-ID>:stream/<stream-name>" } ] }

A. Update the instance profile role in Account A with the necessary permissions to read from the Kinesis stream. This allows the EC2 instance to assume the required permissions. E. Add a resource-based policy to the Kinesis stream in Account B to grant read access to the instance profile role in Account A. This enables cross-account access.

https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles

C: This action involves cross-account role assumption, but for Kinesis access, you would typically use resource-based policies rather than cross-account role assumption unless the use case specifically involves assuming roles across accounts.

Answer is BC