Exam AWS Certified Developer Associate topic 1 question 201 discussion

the relevant documentation links: - [Creating IAM Roles]https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html - [Tutorial: Delegate Access Across AWS Accounts Using IAM Roles]https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

D. - This option implies allowing direct read access from the instance profile role in Account A to the Kinesis data stream in Account B. - Directly granting read access to resources in another account without role assumption is generally not recommended due to security and governance concerns. - It bypasses the principle of least privilege and complicates access management. E. - This option involves creating a resource-based policy directly on the Kinesis data stream in Account B. - The policy specifies which entities (in this case, the instance profile role) are allowed to access the resource (Kinesis data stream). - While feasible, this option is less commonly used and can be more complex to manage compared to using IAM roles with cross-account trust relationships. - It's generally recommended to use IAM roles with trust relationships for cross-account access management instead of resource-based policies.

A. - This option involves granting the necessary permissions directly to the instance profile role in Account A. - It's not recommended to grant cross-account access directly to instance profile roles because it violates the principle of least privilege and can lead to security risks. - Instance profile roles are typically meant for granting permissions to resources within the same AWS account. - This option is not appropriate for cross-account access scenarios like accessing resources in Account B from resources in Account A.

For me A and E

I vote for AE 1. you cannot assume cross-account iam role directly it must reside in same aws account so options C and D are out 2. You can attach resource based policy to a stream https://docs.aws.amazon.com/streams/latest/dev/controlling-access.html#kinesis-using-iam-examples

To provide the application with access to the stream, the developer should update the instance profile role in Account A with stream read permissions (option A) and add a resource-based policy in Account B to allow read access from the instance profile role (option E). This will allow the application running on the EC2 instances in Account A to assume the instance profile role and read data from the Kinesis data stream in Account B.

Option B is incorrect because it creates an IAM role in the wrong account.

Based on https://docs.aws.amazon.com/kinesisanalytics/latest/java/examples-cross.html

Its AC

B and C

Answer should be B and D. Read the document of trust policy https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

For some AWS services, you can grant cross-account access to your resources. To do this, you attach a policy directly to the resource that you want to share, instead of using a role as a proxy. The resource that you want to share must support resource-based policies. Unlike an identity-based policy, a resource-based policy specifies who (which principal) can access that resource. The following list includes some of the AWS services that support resource-based policies. Amazon S3 buckets Amazon Simple Notification Service (Amazon SNS) topics Amazon Simple Queue Service (Amazon SQS) queues

Why not A&E ???

It's B,C for me. https://aws.amazon.com/blogs/architecture/field-notes-how-to-enable-cross-account-access-for-amazon-kinesis-data-streams-using-kinesis-client-library-2-x/

According to this Article, Create an IAM Role to Access (Read) in the Kinesis Stream Account. Add a trust policy to the EC2 instances Account, and the Kinesis Stream Account to allow the EC2 instances assume the role to read from the stream. Hence B and C

https://www.youtube.com/watch?v=Ob1zYHjqNwo&ab_channel=FelixYu

In my opinion B and C too Role in B Account to allow read from Kinesis and in trust policy AssumeRole for Account A