exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 768 discussion

A company is using multiple AWS accounts. The company has a shared service account and several other accounts for different projects.
A team has a VPC in a project account. The team wants to connect this VPC to a corporate network through an AWS Direct Connect gateway that exists in the shared services account. The team wants to automatically perform a virtual private gateway association with the Direct Connect gateway by using an already- tested AWS Lambda function while deploying its VPC networking stack. The Lambda function code can assume a role by using AWS Security Token Service
(AWS STS). The team is using AWS CloudFormation to deploy its infrastructure.
Which combination of steps will meet these requirements? (Choose three.)

  • A. Deploy the Lambda function to the project account. Update the Lambda function's IAM role with the directconnect:* permission.
  • B. Create a cross-account IAM role in the shared services account that grants the Lambda function the directconnect:* permission. Add the sts:AssumeRole permission to the IAM role that is associated with the Lambda function in the shared services account.
  • C. Add a custom resource to the CloudFormation networking stack that references the Lambda function in the project account.
  • D. Deploy the Lambda function that is performing the association to the shared services account. Update the Lambda function's IAM role with the directconnect:* permission.
  • E. Create a cross-account IAM role in the shared services account that grants the sts:AssumeRole permission to the Lambda function with the directconnect:* permission acting as a resource. Add the sts:AssumeRole permission with this cross-account IAM role as a resource to the IAM role that belongs to the Lambda function in the project account.
  • F. Add a custom resource to the CloudFormation networking stack that references the Lambda function in the shared services account.
Show Suggested Answer Hide Answer
Suggested Answer: ACE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
foureye2004
Highly Voted 2 years, 3 months ago
Selected Answer: ACE
https://docs.aws.amazon.com/directconnect/latest/UserGuide/multi-account-associate-vgw.html With above guideline, you should: Project Account: a lambda function to: - Create an associate from VPG to the DX Gateway ID (input DX Gateway Owner) (answer A, need directconnect:* permission to do this) - Assume role on Share Service account to accept the association request. Share Service account: - an IAM role to allow Project account's Lambda to assume with directconnect:* permission to allow acction accept/deny the request (answer E) So A,C,E are correct
upvoted 7 times
...
Rmukh
Highly Voted 3 years, 2 months ago
I would say it is B, D, F
upvoted 6 times
...
Jesuisleon
Most Recent 1 year, 6 months ago
Selected Answer: ACE
I agree with A,C,E. The key is lambda is in project account. SO B,D,F all mentioned lambda in shared account are out
upvoted 1 times
...
unknownUser22952
1 year, 9 months ago
Why would we give lambda function access to directconnect directly?
upvoted 1 times
...
tomosabc1
2 years, 1 month ago
Selected Answer: ACE
The answer is ACE. Quick Resolution: The Lambda must be in the same account with network stack, meaning project account. Therefore, B(wrong): ... Lambda function in the shared services account. D(wrong): Deploy the lambda function .... to the shared services account F(wrong): ... references the lambda function in the shared services account E(correct): Really bad worded answer. 1) Create a cross-account IAM role in the shared services account 2) The cross-account IAM role grants sts:AssumeRole permission to the Lambda function, allowing lambda function in project account to assume it. 3) The cross-account IAM role has directconnect:* permission 4) Add policy to allow Lambda execution role to assume the cross-account role. This is a typical use case of cross account IAM role, but E describes it in a very vague and misleading way.
upvoted 4 times
i_bird
2 years, 1 month ago
Well said..thanks
upvoted 1 times
...
...
bobsmith2000
2 years, 6 months ago
The correct version is a combination of B and E: 1) The role in shared services contains allow for "directconnect:*". Its trusted policy allows sts:AssumeRole for a principle which is lambda role in B. 2) The role in the project account allows sts:AssumeRole and Resource is the role in the shared services account. So that lamda assumes the role (allowed by its role) and recives the privileges of ASSUMED role. So neither is correct. Apparently the functions should be in the same account (or created along with a VPC networking stack). So it's A without second sentence. In case of the Lambda in the shared account, we don't need any cross-account roles. Bad-worded answers
upvoted 1 times
...
AzureDP900
2 years, 12 months ago
ACE is correct.
upvoted 2 times
sashsz
2 years, 7 months ago
Exceptionally bad written answers. This is what E should state: E. Create a cross-account IAM role in the shared services account that grants the sts:AssumeRole permission to the Lambda function's execution role in the project account with the directconnect:* permission acting as a resource. Add the sts:AssumeRole permission with this cross-account IAM role as a resource to the IAM role that belongs to the Lambda function in the project account.
upvoted 2 times
sashsz
2 years, 7 months ago
Also, the 2nd sentence in A should be removed.
upvoted 1 times
...
...
...
acloudguru
3 years ago
how did you choose between B and E?
upvoted 1 times
acloudguru
3 years ago
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/. seems B is over E.
upvoted 1 times
...
...
Viper57
3 years, 1 month ago
ACE makes the most sense. According to AWS "The owner of the virtual private gateway creates an association proposal and the owner of the Direct Connect gateway must accept the association proposal." So it makes sense in this case that the project account would create a virtual gateway association first, and then assume the cross-account role to accept the association in the shared services account.
upvoted 4 times
...
student22
3 years, 1 month ago
A,C,E New role in shared account + Lambda in project account
upvoted 1 times
...
Bigbearcn
3 years, 1 month ago
Only 1 lambda function in shared service account is enough. BDF.
upvoted 1 times
Bigbearcn
3 years, 1 month ago
ACE is correct. Actually lambda function can be created in shared service account or project account. If lambda function is create in shared service account, you need grant your cloudformation customer resource permission to call lambda, so Option F is incomplete. Option B is wrong because in that case sts::AssumeRole is not needed. Only when lambda in other account that need to assume the role, you need grant sts::AssumeRole permission. So ACE is answer.
upvoted 7 times
...
...
andylogan
3 years, 1 month ago
It's A C E
upvoted 1 times
...
tgv
3 years, 1 month ago
AAA CCC EEE ---
upvoted 3 times
...
blackgamer
3 years, 2 months ago
ACE is the answer
upvoted 1 times
...
Desailly
3 years, 2 months ago
C,D,E Story explanantion: Project team deploys something which - as a result - creates VGW association in shared account. The flow works as follows (_P for Project, _S for shared) Project team runs a lambda_P which invokes lambda_S (the one team has already tested) and lambda_S creates a desired association In order to do so: lambda_S needs directconnect:* permission to handle DC (option D) lambda_P needs permissions to run lambda_S, which is done via 2 roles - lambda_S can be assumed via dedicated cross-account IAM_1 role (option D part 1) - lambda_P can assume IAM_1 via IAM_2 (role for lamda_P) (option D part 2) Cloudformation is run from _P account and runs lamda_P, --> thus C
upvoted 1 times
Desailly
3 years, 2 months ago
"option D part x" relates to "E" in explanation
upvoted 1 times
...
tgv
3 years, 2 months ago
I don't think there are 2 lambda functions. Only 1 is enough and should be deployed in the project account. I'll go with A C E
upvoted 3 times
...
...
mericov
3 years, 2 months ago
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/
upvoted 1 times
...
mericov
3 years, 2 months ago
I would say B / C / D https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...