ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 1017 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 1017
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has an application that runs on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster on Amazon EC2 instances. The application has a UI that uses Amazon DynamoDB and data services that use Amazon S3 as part of the application deployment.

The company must ensure that the EKS Pods for the UI can access only Amazon DynamoDB and that the EKS Pods for the data services can access only Amazon S3. The company uses AWS Identity and Access Management (IAM).

Which solution meals these requirements?

  • A. Create separate IAM policies for Amazon S3 and DynamoDB access with the required permissions. Attach both IAM policies to the EC2 instance profile. Use role-based access control (RBAC) to control access to Amazon S3 or DynamoDB for the respective EKS Pods.
  • B. Create separate IAM policies for Amazon S3 and DynamoDB access with the required permissions. Attach the Amazon S3 IAM policy directly to the EKS Pods for the data services and the DynamoDB policy to the EKS Pods for the UI.
  • C. Create separate Kubernetes service accounts for the UI and data services to assume an IAM role. Attach the AmazonS3FullAccess policy to the data services account and the AmazonDynamoDBFullAccess policy to the UI service account.
  • D. Create separate Kubernetes service accounts for the UI and data services to assume an IAM role. Use IAM Role for Service Accounts (IRSA) to provide access to the EKS Pods for the UI to Amazon S3 and the EKS Pods for the data services to DynamoDB.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by viejito at Oct. 7, 2024, 5:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jingen11
Highly Voted 6 months, 1 week ago
Selected Answer: D
https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#service-accounts-iam
upvoted 8 times
...
FlyingHawk
Most Recent 3 months, 1 week ago
Selected Answer: C
IRSA allows Kubernetes service accounts to assume IAM roles, enabling fine-grained access control for EKS Pods. This ensures that each Pod can access only the AWS resources it needs. Attach the AmazonDynamoDBFullAccess policy to the service account for the UI Pods, allowing them to access only DynamoDB. Attach the AmazonS3FullAccess policy to the service account for the data services Pods, allowing them to access only S3.
upvoted 2 times
...
LeonSauveterre
3 months, 2 weeks ago
Selected Answer: C
A - This is a major security flaw. All Pods running on the EC2 instances would inherit both the S3 and DynamoDB permissions. B - Directly attaching IAM policies to Pods is not a valid AWS mechanism. You should use roles. C - Not recommended unless we throw least privilege principles to the wind. BUT this is the only feasible option here, so. D - This option mixes up the permissions. It gives UI Pods access to S3 and data service Pods access to DynamoDB, which is the OPPOSITE of the requirement.
upvoted 4 times
...
BugsyWarribwoy
3 months, 2 weeks ago
Selected Answer: C
D is sneakily WRONG because it swaps the services incorrectly. Pay attention. UWC.
upvoted 4 times
...
GOTJ
4 months ago
Selected Answer: C
Even though there are a couple of comments rightfully discarding "D" because the UI --> S3/DataServices --> DynamoDB swap, I found an AWS document claiming that Kubernetes Service accounts and IAM Role for Service Accounts combination should be the right answer: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html Having this in mind, I'm also discarding "D" (right reasoning, wrong scenario), as well "A" and "B". I didn't like the "full access" policy, but is technically correct, so my vote goes to "C"
upvoted 3 times
...
trinh_le
4 months, 3 weeks ago
Selected Answer: C
* A. Attach both IAM policies to the EC2 instance profile. Does not separate each EKS Pod * B. Aws does not support Attach the Amazon S3 IAM policy directly to the EKS Pods * * D. provide access “UI to Amazon S3” and “data services to DynamoDB” => it does not meet requirements
upvoted 3 times
...
rosanna
4 months, 4 weeks ago
Selected Answer: C
The answer is C as they're switching data pods with DynamoDB service and vice versa (configure the wrong resources)
upvoted 2 times
...
tm1000000
6 months, 1 week ago
answer is D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago