Exam AWS Certified Security - Specialty topic 1 question 395 discussion

B,E https://aws.amazon.com/premiumsupport/knowledge-center/iam-validate-access-credentials/

By default, the AWS Security Token Service (AWS STS) is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity. If you choose to use the global endpoint, you must change the Region compatibility of AWS STS session tokens for the global endpoint. Doing so ensures that tokens are valid in all AWS Regions. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

Difficult question! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html States that 'me-south-1' is an opt-in region. If this is the case, then you have two options (according to https://repost.aws/knowledge-center/iam-validate-access-credentials). * Obtain tokens from a Regional endpoint - i.e B * Change Region compatibility of session tokens for global endpoint - i.e E. I'd go: B + E Because of the above, and the fact it states solutionS, rather than solution. While A/E are a valid combination, it's a single solution. B/E are both solutions (granted, you *might* need A before applying E, but we don't know what permissions the engineer has).

Well... it's A+E 100%

The IAM role is being assumed in the me south 1 region. Therefore, the temporary access token will be granted from that specific region where the resource is located. B Change Region compatibility E.

According to the provided links: To change the Region compatibility of session tokens for the global endpoint (console): Sign in as a root user or a user with permissions to perform IAM administration tasks. To change the compatibility of session tokens, you must have a policy that allows the iam:SetSecurityTokenServicePreferences action. Open the IAM console. In the navigation pane, choose Account settings. Under Security Token Service (STS) section Session Tokens from the STS endpoints. The Global endpoint indicates Valid only in AWS Regions enabled by default. Choose Change. In the Change region compatibility dialog box, select All AWS Regions. Then choose Save changes.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens

Option A- provides instructions to change the Region compatibility of session tokens for the global endpoint.

The Global endpoint Tokens are valid in Default regions only. So the error was being generated .Two way approach 1. Go to Regional endpoint for (Regions that are manually enabled) for token or Go to Global endpoint and ask to generate regional tokens - these tokens are valid in all regions

Could be AB following the one best practice of getting a token from the regional endpoint. Could be AE to answer with two different ways to solve the error if one assumes that adding SetSecurityTokenServicePreferences infers correct configuration of it. Could be BE also to answer with two different ways to solve the error, if one went so far as to say that adding SetSecurityTokenServicePreferences without the right parameters wouldn't be enough. 'Which solutions will resolve this error' can be interpreted to be asking for more than one solution so I will guess AE, assuming that SetSecurityTokenServicePreferences includes the necessary configuration.

BE https://aws.amazon.com/premiumsupport/knowledge-center/iam-validate-access-credentials/

Answer AE . To change the Region compatibility of session tokens for the global endpoint (console) Sign in as a root user or an IAM user with permissions to perform IAM administration tasks. To change the compatibility of session tokens, you must have a policy that allows the "iam:SetSecurityTokenServicePreferences" action. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens

AD Seems Good. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens

https://aws.amazon.com/premiumsupport/knowledge-center/iam-validate-access-credentials/

I'd choose BD https://aws.amazon.com/premiumsupport/knowledge-center/iam-validate-access-credentials/