AWS Certified Developer – Associate (DVA-C02) — Question 555

A developer is deploying an application on Amazon EC2 instances that run in Account A. The application needs to read data from an existing Amazon Kinesis data stream in Account B.

Which actions should the developer take to provide the application with access to the stream? (Choose two.)

Answer options

• A. Update the instance profile role in Account A with stream read permissions.
• B. Create an IAM role with stream read permissions in Account B.
• C. Add a trust policy to the instance profile role and IAM role in Account B to allow the instance profile role to assume the IAM role.
• D. Add a trust policy to the instance profile role and IAM role in Account B to allow reads from the stream.
• E. Add a resource-based policy in Account B to allow read access from the instance profile role.

Correct answer: B, C

Explanation

To enable cross-account access to resources like Amazon Kinesis data streams, which do not support resource-based policies, you must use IAM role assumption. First, an IAM role with stream read permissions must be created in the trusting account (Account B). Second, a trust relationship must be established between this role and the instance profile role in Account A, allowing the application on the EC2 instance to assume the role in Account B and access the stream.