Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🚀 25% OFF ALL Reviewers plus eBooks as LOW as 2.99 USD only!

Find answers, ask questions, and connect with our
community around the world.

Home Forums General Discussions Portal Issues and Improvements Unrealistic scenario

  • Unrealistic scenario

     JR-TutorialsDojo updated 1 month ago 2 Members · 2 Posts
    Portal Issues and Improvements

  • Kumar Mahadevan

    Member
    February 17, 2025 at 3:30 pm

    Review Mode Set 5 – AWS Certified Solutions Architect Professional

    15. Question

    Category: CSAP – Continuous Improvement for Existing Solutions

    A leading streaming service provider is utilizing GitHub Actions for their CI/CD pipeline, which orchestrates deployments across multiple AWS regions. The provider has been using an IAM user with an access key for authentication. An IAM role with the necessary permissions to manage S3 buckets is already in place.

    Following a security audit, the provider’s security team requires the replacement of static IAM user keys with a dynamic, short-lived credential system. Additionally, the team wants to integrate GitHub Actions to automate the process of obtaining and using these dynamic credentials seamlessly. The solutions architect needs to comply with the new security policy and ensure the CI/CD pipeline remains functional and secure.

    Which of the following options will meet the specified requirements while minimizing operational overhead?

    An OpenID Connect IdP is responsible for authenticating a user. Example may be FB, Google, Amazon etc…& returning a Web Identity Token. The IdP itself will not make a AssumeRoleWithWebIdentity call rather, the client (streaming service provider) should be making the call to access AWS resources using the WebIdentity token.

    The correct answer explanation mentions that the idp will be making a AssumeRoleWithWebIdentity call which is incorrect. This scenario needs to be revisited. Best will be to include a diagram of the CI/CD process that will be executed by GitHubActions

  • JR-TutorialsDojo

    Administrator
    February 20, 2025 at 9:39 am

    Hello Kumar Mahadevan,

    Thank you for bringing this to our attention.

    The OpenID Connect (OIDC) Identity Provider (IdP) authenticates the user and issues a Web Identity Token, but it does not directly call AssumeRoleWithWebIdentity. Instead, the client application (in this case, GitHub) makes this call to AWS STS to assume the IAM role and obtain temporary credentials.

    We will make the necessary updates to ensure the explanation aligns with best practices and accurately represents the role of the IdP and client in the authentication process. These updates will soon be visible on the portal.

    Let us know if you need further assistance.

    Thanks again for your valuable input, and we truly appreciate your keen attention to detail!

    Regards,
    JR @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content