AWS Certified Solutions Architect – Associate (SAA-C03) — Question 922

A company is using an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The company must ensure that Kubernetes service accounts in the EKS cluster have secure and granular access to specific AWS resources by using IAM roles for service accounts (IRSA).

Which combination of solutions will meet these requirements? (Choose two.)

Answer options

• A. Create an IAM policy that defines the required permissions Attach the policy directly to the IAM role of the EKS nodes.
• B. Implement network policies within the EKS cluster to prevent Kubernetes service accounts from accessing specific AWS services.
• C. Modify the EKS cluster's IAM role to include permissions for each Kubernetes service account. Ensure a one-to-one mapping between IAM roles and Kubernetes roles.
• D. Define an IAM role that includes the necessary permissions. Annotate the Kubernetes service accounts with the Amazon ResourceName (ARN) of the IAM role.
• E. Set up a trust relationship between the IAM roles for the service accounts and an OpenID Connect (OIDC) identity provider.

Correct answer: D, E

Explanation

To configure IRSA, you must establish an OpenID Connect (OIDC) provider for the EKS cluster and set up a trust relationship between the IAM role and this OIDC provider. Additionally, you must associate the IAM role with the Kubernetes service account by annotating the service account with the role's ARN. Modifying node roles or using network policies does not provide the granular, service-account-level access control required by IRSA.