ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 309 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 309
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is using AWS Organizations with a multi-account architecture. The company's current security configuration for the account architecture includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies.

A solutions architect needs to allow an IAM user in Account A to assume a role in Account B.

Which combination of steps must the solutions architect take to meet this requirement? (Choose three.)

  • A. Configure the SCP for Account A to allow the action.
  • B. Configure the resource-based policies to allow the action.
  • C. Configure the identity-based policy on the user in Account A to allow the action.
  • D. Configure the identity-based policy on the user in Account B to allow the action.
  • E. Configure the trust policy on the target role in Account B to allow the action.
  • F. Configure the session policy to allow the action and to be passed programmatically by the GetSessionToken API operation.
Show Suggested Answer Hide Answer
Suggested Answer: ACE 🗳️
by airgead at Oct. 28, 2023, 1:06 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
airgead
Highly Voted 1 year, 8 months ago
Answer: C, E, F Attach a policy to the IAM user in Account A > Trust Policy in Account B > GetSessionToken API operation
upvoted 11 times
ele
1 year, 4 months ago
F is wrong, you cannot use GetSessionToken to configure session policy. You can pass a single inline session policy programmatically by using the policy parameter with the AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, and GetFederationToken API operations. ACE is correct answer.
upvoted 2 times
...
...
Andres123456
Highly Voted 1 year, 7 months ago
Selected Answer: BCE
- C) Attach an identity-based policy to the IAM user in Account A (allowed to assume IAM role in Acccount B) - E) Configure the trust policy on the target role in Account B (accountID of the trusted account which is Account A) - B) Configure a resource-based policy which allows certain actions on resources which reside in Account B) reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
upvoted 10 times
JMAN1
1 year, 5 months ago
IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, assume that you have an account in US West (N. California) in the standard aws partition. You also have an account in China (Beijing) in the aws-cn partition. You can't use an Amazon S3 resource-based policy in your account in China (Beijing) to allow access for users in your standard aws account. So B can't be answer.
upvoted 1 times
...
...
eesa
Most Recent 3 months, 2 weeks ago
Selected Answer: ACE
✅C. Configure the identity-based policy on the user in Account A to allow the action. The IAM user in Account A needs permission to assume the role in Account B. This is done by attaching an identity-based policy that allows the sts:AssumeRole action on the target role in Account B. ✅ E. Configure the trust policy on the target role in Account B to allow the action. The IAM role in Account B must trust the user from Account A. This is done by adding a trust policy to the role, specifying Account A’s user or a specific IAM principal from Account A. ✅ A. Configure the SCP for Account A to allow the action. Service Control Policies (SCPs) act as guardrails at the AWS Organizations level. If there is an SCP that denies cross-account role assumption, it must be modified to allow sts:AssumeRole for Account A.
upvoted 1 times
...
albert_kuo
3 months, 3 weeks ago
Selected Answer: ACE
IAM Role does not support Resource-Based Policy, we should apply Trust Policy instead.
upvoted 1 times
...
AzureDP900
7 months, 2 weeks ago
Option A (Configure the SCP for Account A to allow the action) is correct because the SCP would need to be configured to allow the assumption of roles from one account to another. Option C (Configure the identity-based policy on the user in Account A to allow the action) is also correct, as it would define the permissions that the IAM user has within their own account. And finally, Option E (Configure the trust policy on the target role in Account B to allow the action) is necessary because it specifies the external identity provider and the roles that can be assumed by users from that identity provider.
upvoted 1 times
...
Daniel76
8 months ago
Selected Answer: ACE
Revising my earlier vote to ACE, agree that resource based policies is not required. SCP though apply restriction rather than allow, reviewing it to ensure it doesn't block this access does make sense.
upvoted 1 times
...
sashenka
8 months, 1 week ago
Correct Options: A. Configure the SCP for Account A to allow the action. C. Configure the identity-based policy on the user in Account A to allow the action. E. Configure the trust policy on the target role in Account B to allow the action. Explanation of Incorrect Options: B. Configure the resource-based policies to allow the action: Resource-based policies are typically used to control access to specific resources like S3 buckets, not for cross-account role assumption. D. Configure the identity-based policy on the user in Account B to allow the action: The identity-based policy for users in Account B is not relevant here, as the user in Account A needs permission to assume the role.
upvoted 5 times
...
Syre
9 months ago
Selected Answer: BCE
SCPs are not necessary at all here...
upvoted 1 times
...
wbedair
9 months ago
Selected Answer: ACE
the ask is steps to "ASSUME A ROLE" not to "access the resource" . so option B and F are wrong as with A, C, E I can still assume the role regardless of the configuration of resource policy and session policy who can still deny access to the resource
upvoted 1 times
...
Daniel76
10 months, 3 weeks ago
Selected Answer: BCE
To allow an IAM user in Account A to assume a role in Account B - we only need identity-based , resource-based and trust policies. Session policy and SCP not required.
upvoted 1 times
...
kgpoj
10 months, 3 weeks ago
Selected Answer: ACE
A (SCP) is more relevant than B (resource-based policies) because, while SCPs are not granting permissions, they could potentially restrict actions. Therefore, ensuring that the SCP in Account A (and Account B) does not block the necessary sts:AssumeRole action is important. B (resource-based policies) isn't relevant for the cross-account role assumption in this context.
upvoted 1 times
kgpoj
10 months, 3 weeks ago
A: SCPs (Service Control Policies) are used to set permission boundaries at the organizational or account level. SCPs can restrict or allow certain actions, but they do not grant permissions directly. An SCP in Account A would typically not be responsible for directly allowing a user to assume a role in Account B, though it could block the action if not configured properly.
upvoted 1 times
kgpoj
10 months, 3 weeks ago
B: Resource-based policies are policies attached directly to AWS resources (like S3 buckets or IAM roles). However, in this scenario, resource-based policies are less relevant because the focus is on role assumption, which is governed by identity policies and trust policies rather than resource-based policies.
upvoted 1 times
...
...
...
alex_heavy
12 months ago
Selected Answer: CDE
E Trust policy in B D Identity-based policy on the ROLE in Account B to allow the action (I think typo in question) C Configure the identity-based policy on the user in Account A to allow the action. Just try it in AWS env.
upvoted 1 times
...
trungtd
1 year ago
Selected Answer: BCE
you generally do not need to modify the Service Control Policies (SCPs) to allow one account's IAM users to assume roles in another account, as long as the SCPs do not explicitly deny the required actions (like sts:AssumeRole).
upvoted 2 times
...
9f02c8d
1 year ago
BCE - SCP is not required here & used for deny not for allow
upvoted 2 times
...
red_panda
1 year, 1 month ago
Selected Answer: BCE
Answer is BCE. SCPs are not used for ALLOW actions but for DENY actions at Org level.
upvoted 2 times
...
teo2157
1 year, 1 month ago
Selected Answer: ACE
The key point here is "The company's current security configuration for the account architecture includes SCPs," so if SCPs are in place, the SCP in the account A has to be configured to allow the action.
upvoted 2 times
...
seetpt
1 year, 1 month ago
Selected Answer: ACE
ACE for me
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel