ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 459 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 459
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is using GitHub Actions to run a CI/CD pipeline that accesses resources on AWS. The company has an IAM user that uses a secret key in the pipeline to authenticate to AWS. An existing IAM role with an attached policy grants the required permissions to deploy resources.

The company’s security team implements a new requirement that pipelines can no longer use long-lived secret keys. A solutions architect must replace the secret key with a short-lived solution.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an IAM SAML 2.0 identity provider (IdP) in AWS Identity and Access Management (IAM). Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRole API call. Attach the existing IAM policy to the new IAM role. Update GitHub to use SAML authentication for the pipeline.
  • B. Create an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS Identity and Access Management (IAM). Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. Update GitHub to assume the role for the pipeline.
  • C. Create an Amazon Cognito identity pool. Configure the authentication provider to use GitHub. Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRoleWithWebIdentity API call from the GitHub authentication provider. Configure the pipeline to use Cognito as its authentication provider.
  • D. Create a trust anchor to AWS Private Certificate Authority. Generate a client certificate to use with AWS IAM Roles Anywhere. Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRole API call. Attach the existing IAM policy to the new IAM role. Configure the pipeline to use the credential helper tool and to reference the client certificate public key to assume the new IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by CMMC at March 19, 2024, 1:11 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Dgix
Highly Voted 1 year, 1 month ago
Selected Answer: B
A is incorrect because GitHub doesn't support the aging SAML protocol. B is correct because GitHub does support OIDC. C is hysterically overengineered for this use case. D even more so.
upvoted 8 times
lasithasilva709
1 year, 1 month ago
https://aws.amazon.com/blogs/devops/integrating-with-github-actions-ci-cd-pipeline-to-deploy-a-web-app-to-amazon-ec2/
upvoted 2 times
pangchn
1 year, 1 month ago
B as in your KB link: The GitHub Actions workflows must access resources in your AWS account. Here we are using IAM OpenID Connect identity provider and IAM role with IAM policies to access CodeDeploy and Amazon S3 bucket. OIDC lets your GitHub Actions workflows access resources in AWS without needing to store the AWS credentials as long-lived GitHub secrets
upvoted 4 times
...
...
...
AzureDP900
Most Recent 5 months, 3 weeks ago
Option B involves creating an IAM OpenID Connect (OIDC) identity provider in AWS Identity and Access Management (IAM). This will allow the company to use GitHub OIDC authentication, which provides a short-lived token for authentication. The solution also creates a new IAM role with the appropriate trust policy that allows the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. This ensures that the pipeline can assume the necessary permissions without using long-lived secret keys.
upvoted 2 times
...
VerRi
1 year, 1 month ago
Selected Answer: B
A and D are out because of sts:AssumeRole. B with the least operational overhead.
upvoted 1 times
0b43291
5 months, 2 weeks ago
In summary, the feedback suggests that options A and D are not suitable because they involve the sts:AssumeRole API call, which typically requires long-lived credentials. Instead, option B, which uses the sts:AssumeRoleWithWebIdentity API call with GitHub's OIDC identity provider, is recommended as the solution with the least operational overhead for replacing the long-lived secret key with a short-lived solution.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago