AWS Certified Security – Specialty (SCS-C02) — Question 67

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing some of the accounts.

Which of the following may be causing this problem? (Choose three.)

Answer options

• A. The external ID used by the auditor is missing or incorrect.
• B. The auditor is using the incorrect password.
• C. The auditor has not been granted sts:AssumeRole for the role in the destination account.
• D. The Amazon EC2 role used by the auditor must be set to the destination account role.
• E. The secret key used by the auditor is missing or incorrect.
• F. The role ARN used by the auditor is missing or incorrect.

Correct answer: A, C, F

Explanation

The correct answers are A, C, and F because the external ID is crucial for security in cross-account roles, and if it's incorrect or missing, access will be denied. Additionally, the auditor needs the sts:AssumeRole permission to assume the role in the destination account, and the role ARN must be accurate for successful access. Options B, D, and E are not relevant to the specific issues with cross-account IAM role access.