Exam AWS Certified Developer Associate topic 1 question 66 discussion

D is correct as it allows for temporary credentials with a set time duration. https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html

D) Correct - The get-session-token command is part of AWS Security Token Service (STS). It provides temporary security credentials that are valid for a short duration (by default, 12 hours for IAM users) and consist of: Access key Secret access key Session token

"The developer needs to authenticate to AWS with their identity" Altough temporary credentials with "get-session-token" are most secure way to obtain extended privilages, it's safer to assume dev account already has enough access to get a job done, than that there is additional role with more privilages that can be fetched via this command. Option D is missing details

Even if A and B are both valid options, the most secure way to use the aws cli on premisis is by calling get-session-token to obtain temporary credentials. So, D is the correct answer

T think the correct answer is C. use profile for each developper. -- profile option is used to replace adding access_key and token for each cli command. get-acess_token is required only for users with MFA enabled and for calling some API operation that require MFA authntificationy. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication

D is getaccesstoken

i was going for A, but it seems A and D are the same thing just D is temporary credientials

https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html Added layer of security by ensuring stale keys are not reused