AWS Certified Developer – Associate — Question 386

A developer needs to use the AWS CLI on an on-premises development server temporarily to access AWS services while performing maintenance. The developer needs to authenticate to AWS with their identity for several hours.
What is the MOST secure way to call AWS CLI commands with the developer's IAM identity?

Answer options

• A. Specify the developer's IAM access key ID and secret access key as parameters for each CLI command
• B. Run the aws configure CLI command. Provide the developer's IAM access key ID and secret access key.
• C. Specify the developer's IAM profile as a parameter for each CLI command.
• D. Run the get-session-token CLI command with the developer's IAM user. Use the returned credentials to call the CLI

Correct answer: D

Explanation

Running get-session-token generates temporary, short-lived security credentials which expire after a set time, making it the most secure method for temporary access. Storing long-term access keys on an on-premises server via aws configure or passing them as command-line parameters exposes them to exposure risks and shell history. Specifying an IAM profile without configuring underlying credentials first will not authenticate the request.