Home › Forums › AWS › AWS Certified Solutions Architect Professional › Confusing Question – Multiple Account Access is not described in the question
-
Confusing Question – Multiple Account Access is not described in the question
Neil-TutorialsDojo updated 8 months ago 2 Members · 2 Posts -
18. Question
A computer hardware manufacturer has a supply chain application that is written in NodeJS. The application is deployed on an Amazon EC2 Reserved instance which has been provisioned with an IAM Role that provides access to data files stored in an S3 bucket.
In this architecture, which of the following IAM policies control access to the data files in S3? (Select TWO.)
–An IAM trust policy that allows the NodeJS supply chain application running on the EC2 instance to access the data files stored in the S3 bucket.
–An IAM trust policy that allows the EC2 instance to assume an EC2 instance role.
–An IAM bucket policy that allows the EC2 role to access S3 objects.
–An IAM permissions policy that allows the EC2 role to access S3 objects.
–An IAM trust policy that allows the EC2 instance to assume an S3 role.Incorrect
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
To delegate permission to access a resource, you create an IAM role in the trusting account that has two policies attached:
The permissions policy grants the user of the role the needed permissions to carry out the intended tasks on the resource.
The trust policy specifies which trusted account members are allowed to assume the role.
Hence, the correct answers are:
– An IAM trust policy that allows the EC2 instance to assume an EC2 instance role.
– An IAM permissions policy that allows the EC2 role to access S3 objects.
Why would I be thinking about setting up trust policies if Multiple accounts are not defined in the question?
-
Hi Stresco,
Thank you for your feedback.
Let me just clarify. Setting up trust policies for IAM roles is essential regardless of whether multiple accounts are involved. Trust policies define who or what can assume the IAM role. Even if a role is used within a single account, a trust policy is needed to specify which principal (this principal could be a user, federated user, web service, or AWS service) can assume the role.
We acknowledge that the given explanation is incomplete. We will make the necessary updates and ensure they are reflected in the portal as soon as possible.
If you have any further questions or concerns, please don’t hesitate to let us know.
Regards,
Neil @ Tutorials Dojo
Log in to reply.