ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 4 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 4
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)

  • A. The external ID used by the Auditor is missing or incorrect.
  • B. The Auditor is using the incorrect password.
  • C. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
  • D. The Amazon EC2 role used by the Auditor must be set to the destination account role.
  • E. The secret key used by the Auditor is missing or incorrect.
  • F. The role ARN used by the Auditor is missing or incorrect.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️
by BillyC at Aug. 25, 2019, 5:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
josellama2000
Highly Voted 3 years, 8 months ago
Correct is A, C and F Using IAM to grant access to a Third-Party Account 1) Create a role to provide access to the require resources 1.1) Create a role policy that specifies the AWS Account ID to be accessed, "sts:AssumeRole" as action, and "sts:ExternalID" as condition 1.2) Create a role using the role policy just created 1.3) Assign a resouce policy to the role. This will provide permission to access resource ARNs to the auditor 2) Repeat steps 1 and 2 on all AWS accounts 3) The auditor connects to the AWS account AWS Security Token Service (STS). The auditor must provide its ExternalID from step 1.2, the ARN of the role he is trying to assume from step 1.3, sts:ExternalID 4) STS provide the auditor with temporary credentials that provides the role access from step 1 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html https://aws.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-aws-cloudtrail-and-amazon-cloudwatch-events/
upvoted 64 times
cloudprincipal
3 years, 8 months ago
Agreed, BDE does not make sense.
upvoted 1 times
...
luis12345
3 years, 7 months ago
The process you described is not 100% right: 1- You create user in the account you want to give privileges to (lets call it Account B)--> userB 2-In our main account, you crate a role with the right permissions (roleA) trusting our AccountB 3-Add an inline policy to userB allowing "sts:AssumeRole" with our role ARN.
upvoted 1 times
grendalov
1 year, 10 months ago
inline policies are not a best practice, they will trigger a Security Hub finding.
upvoted 1 times
...
...
vnsuk
3 years, 7 months ago
but if A is correct it means they will not be able to see any of the accounts?
upvoted 3 times
...
...
BillyC
Highly Voted 3 years, 8 months ago
For my A,C,F
upvoted 14 times
miraspace
3 years, 8 months ago
when you sit exam, did you answered as A, C, F?
upvoted 4 times
bugybq
3 years, 8 months ago
vote for ACF
upvoted 5 times
...
...
AWSADMIN
3 years, 7 months ago
The parameters that go in while assuming a cross-account role are Role ARN and an optional External ID. If someone types these incorrectly, he will not be able to assume the role. So A & F are in. The Auditor should have been given sts:Assume role in the trusting (destination) account. So C is in. Secret Access Key and Password are not required to assume a role. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
upvoted 3 times
...
...
0x00infosec
Most Recent 8 months, 1 week ago
A,C and F according to chatgpt
upvoted 1 times
...
[Removed]
9 months ago
A,C and F is correct answer.
upvoted 10 times
...
Adzz
1 year, 4 months ago
External ID is mainly used for securing any roles that can be assumed by an unauthorized external account. This is mainly done when you're providing any service to other accounts. Thus, A might not be in the correct options list.
upvoted 1 times
...
Olawale100
1 year, 8 months ago
" The Auditor is having trouble accessing some of the accounts." The last statement indicated that the Auditor have access to some of the accounts. In that case, A & B are no longer valid. My opinion though
upvoted 1 times
...
Benah
1 year, 8 months ago
For me A,C,F
upvoted 1 times
...
Robert0
1 year, 12 months ago
Selected Answer: ACF
I'll go for ACF
upvoted 1 times
...
blessyrani
2 years ago
its ACF
upvoted 1 times
...
matrpro
2 years, 1 month ago
Selected Answer: ACF
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
upvoted 1 times
...
yd_h
2 years, 1 month ago
Selected Answer: ACF
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html .....If the request comes from someone using Example Corp's AWS account, and if the role ARN and the external ID are correct, the request succeeds. It then provides temporary security credentials that Example Corp can use to access the AWS resources that your role allows.
upvoted 2 times
...
komik_101
2 years, 3 months ago
Chat GCP saying, ACF
upvoted 4 times
...
PatrickLi
2 years, 3 months ago
Selected Answer: ACF
For people who confused about A, the auditor need to provide the external id to all accounts he assumes. It is possible that he entered the wrong one (or not at all) for just a few of them.
upvoted 2 times
...
Masa314
2 years, 3 months ago
Selected Answer: CF
I wonder why A or E is correct. I think if they are correct, the auditor cannot access all the accounts.
upvoted 1 times
...
SecEnthusiasm
2 years, 4 months ago
Selected Answer: CEF
if A appears to be the answers it will have no access to the other account also
upvoted 2 times
Masa314
2 years, 3 months ago
I agree. But would E be the same?
upvoted 1 times
...
...
gg12345
2 years, 6 months ago
Selected Answer: ACF
A, C, F
upvoted 1 times
...
Rea_09
2 years, 7 months ago
Selected Answer: ACF
correct
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel