AWS Certified Solutions Architect – Associate (SAA-C03) — Question 963
A company has an application that runs on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster on Amazon EC2 instances. The application has a UI that uses Amazon DynamoDB and data services that use Amazon S3 as part of the application deployment.
The company must ensure that the EKS Pods for the UI can access only Amazon DynamoDB and that the EKS Pods for the data services can access only Amazon S3. The company uses AWS Identity and Access Management (IAM).
Which solution meals these requirements?
Answer options
- A. Create separate IAM policies for Amazon S3 and DynamoDB access with the required permissions. Attach both IAM policies to the EC2 instance profile. Use role-based access control (RBAC) to control access to Amazon S3 or DynamoDB for the respective EKS Pods.
- B. Create separate IAM policies for Amazon S3 and DynamoDB access with the required permissions. Attach the Amazon S3 IAM policy directly to the EKS Pods for the data services and the DynamoDB policy to the EKS Pods for the UI.
- C. Create separate Kubernetes service accounts for the UI and data services to assume an IAM role. Attach the AmazonS3FullAccess policy to the data services account and the AmazonDynamoDBFullAccess policy to the UI service account.
- D. Create separate Kubernetes service accounts for the UI and data services to assume an IAM role. Use IAM Role for Service Accounts (IRSA) to provide access to the EKS Pods for the UI to Amazon S3 and the EKS Pods for the data services to DynamoDB.
Correct answer: C
Explanation
Option C is correct because using IAM Roles for Service Accounts (IRSA) allows you to map specific IAM roles to individual Kubernetes service accounts, ensuring the UI service account only gets DynamoDB access and the data services service account only gets S3 access. Options A and B are incorrect because you cannot associate IAM policies directly to pods, and instance profiles grant permissions to all pods on a node. Option D is incorrect because it reverses the required permissions, granting S3 access to the UI and DynamoDB access to the data services.