AWS Certified SysOps Administrator – Associate — Question 298
A company has a multi-account environment. Account A has a production application that is hosted on an Amazon EC2 instance. The application needs to query data in an Amazon DynamoDB table that is hosted in Account B.
A SysOps administrator needs to provide the EC2 instance in Account A with access to the DynamoDB table in Account B.
What is the MOST secure solution that will meet these requirements?
Answer options
- A. Update the IAM policy that is attached to the EC2 instance's IAM role to allow the dynamodb:Query permission on the DynamoDB table in Account B. Add a policy in Account A to allow the DynamoDB service principal to use the PassRole action to pass the role to Account B.
- B. In Account B, create an IAM role that has permission to query the DynamoDB table. Add the EC2 instance's IAM role to the trust policy on the newly created IAM role in Account Update the IAM policy that is attached to the EC2 instance's IAM role to allow the sts:AssumeRole permission on the newly created IAM role in Account B.
- C. Update the IAM policy that is attached to the EC2 instance's IAM role to allow the dynamodb:Query permission on the DynamoDB table in Account B. Update the DynamoDB table's resource policy to allow the query action from the EC2 instance's IAM role.
- D. In Account B, create a static IAM key that has the appropriate permissions to query the DynamoDB table. Embed these credentials into the credentials file on the EC2 instance. Reference the credentials every time the application needs to query the table.
Correct answer: B
Explanation
Option B is correct because Amazon DynamoDB does not support resource-based policies, making Option C incorrect. Cross-account access is securely established by allowing the EC2 instance in Account A to assume an IAM role in Account B using the sts:AssumeRole API. Option D is highly discouraged as using long-lived static credentials is an insecure practice compared to temporary IAM credentials.