AWS Certified Security – Specialty — Question 348

A security engineer recently enabled the me-south-1 Region. The security engineer is now assuming an IAM role and is making an API call to an endpoint in me-south-1.

The API call returns the following error: “AuthFailure: AWS was not able to validate the provided access credentials”.

Which solutions will resolve this error? (Choose two.)

Answer options

• A. Add the iam:SetSecurityTokenServicePreferences action to the security engineer’s IAM role.
• B. Use the AWS Security Token Service (AWS STS) endpoint in me-south-1 to obtain an STS token.
• C. Use the AWS Security Token Service (AWS STS) endpoint in the us-east-1 Region to obtain an STS token.
• D. Manually activate the AWS Security Token Service (AWS STS) endpoint in me-south-1.
• E. Change the AWS Security Token Service (AWS STS) global endpoint to issue Region-compatible session tokens.

Correct answer: B, E

Explanation

By default, the global AWS STS endpoint in us-east-1 issues session tokens that are only valid in AWS Regions that are enabled by default, causing authentication to fail in opt-in Regions like me-south-1. To resolve this, you can configure the global STS endpoint to issue Region-compatible (Version 2) tokens, or you can interact directly with the regional STS endpoint in me-south-1, which inherently issues tokens valid for that Region.