AWS Certified Developer – Associate (DVA-C02) — Question 348

A developer needs temporary access to resources in a second account.

What is the MOST secure way to achieve this?

Answer options

• A. Use the Amazon Cognito user pools to get short-lived credentials for the second account.
• B. Create a dedicated IAM access key for the second account, and send it by mail.
• C. Create a cross-account access role, and use sts:AssumeRole API to get short-lived credentials.
• D. Establish trust, and add an SSH key for the second account to the IAM user.

Correct answer: C

Explanation

Creating a cross-account IAM role and using the sts:AssumeRole API is the AWS-recommended best practice for cross-account access because it provides temporary, short-lived security credentials without sharing long-term secrets. Sharing IAM access keys via email is insecure and exposes long-lived credentials, while Amazon Cognito user pools are designed for application user authentication rather than cross-account AWS resource delegation.