ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 50 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 50
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party.
Which of the following would meet all of these conditions?

  • A. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
  • B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
  • C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
  • D. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the SaaS application to work, provide the role ARN to the SaaS provider to use when launching their application instances.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Tamili at Nov. 22, 2019, 12:41 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
amog
Highly Voted 3 years, 9 months ago
Answer is C You should not give any credentials to SaaS, because they can give it to the other
upvoted 15 times
...
student22
Most Recent 7 months, 3 weeks ago
Selected Answer: C
Answer: C C is more secure than B. Keys can get lost or stolen.
upvoted 1 times
...
amministrazione
10 months, 2 weeks ago
C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
upvoted 1 times
...
kondratyevmn
1 year, 11 months ago
Selected Answer: B
B - Meet's all of the requirements. A - make no sense. C - no, as SaaS doesn't necessarily has AWS Account, it could be any service in the Internet. D - doesn't meet the requirement "must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party."
upvoted 1 times
jack_melvin
1 year, 11 months ago
B is NOT the right answer. There is a requirement that "the credentials used by the SaaS vendor cannot be used by any other third party". With Role, you can use trust relationship to allow only the SaaS Vendor to assume it. But you cannot prevent the Vendor from leaking the IAM User credentials. C is the right answer.
upvoted 3 times
mnsait
7 months, 2 weeks ago
Agree. C is correct. With IAM role (unlike IAM User), only the account that is allowed to assume the role can use it. Although not explicitly mentioned (and for good reasons), it is expected from the architect to know that there is an assumeRole required to permit Trust and allow the role to be assumed by the SAAS. With IAM User approach, it is possible to share the secret key with other parties.
upvoted 1 times
...
...
...
hollie
2 years, 6 months ago
Selected Answer: C
Answer is C. for cross-account access.
upvoted 2 times
...
davideccc
2 years, 8 months ago
Selected Answer: C
the doubt could be if the SaaS has an AWS account, but this piece of information excludes B "ensure that the credentials used by the SaaS vendor cannot be used by any other third party" i.e. the correct answer is C
upvoted 1 times
...
KengL
3 years ago
C is mostly correct answer, if there is mention of ExternalID. Still go with C
upvoted 2 times
...
bobsmith2000
3 years, 2 months ago
Selected Answer: B
B. As long as there aren't any mentions that a third-party SaaS application has AWS account, C can't be correct! Otherwise it would be C.
upvoted 1 times
bobsmith2000
3 years ago
It should be C, because B doesn't allow any ec2 actions. But the concerns are the same
upvoted 2 times
...
davideccc
2 years, 8 months ago
"ensure that the credentials used by the SaaS vendor cannot be used by any other third party" this invalidates B. the access key can be used by anyone
upvoted 1 times
...
...
acloudguru
3 years, 7 months ago
this one is easy, hope I can have it in my exam
upvoted 1 times
...
kashi1983
3 years, 7 months ago
Answer is C
upvoted 1 times
...
Akhil254
3 years, 8 months ago
C Correct
upvoted 1 times
...
01037
3 years, 8 months ago
Should be C
upvoted 1 times
...
Bulti
3 years, 8 months ago
C is correct. Although the question doesn't mention that the SaaS provider is in AWS, the option mentions the use of AWS account by the SaaS provider and therefore C is the right answer.
upvoted 1 times
...
RyanGhavidel
3 years, 8 months ago
B, since the SaaS app does not have an account, it should not be able to assume a role
upvoted 2 times
...
guptas
3 years, 8 months ago
Although C looks appropriate but in ques nowhere it is given that saas appn has aws account.
upvoted 2 times
...
fullaws
3 years, 8 months ago
C is answer, access keys does not grant use by one third party, IAM role for the ec2 introduce uncommon and complexity on SaaS application (which not likely to change to meet a specific customer), as the SaaS application need to ssh to the target ec2 and call the AWS API.
upvoted 2 times
...
noisonnoiton
3 years, 8 months ago
go with C
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel