AWS Certified Data Engineer Associate DEA-C01 Practice Question
A data engineering team runs a managed Apache Airflow environment on Amazon MWAA to orchestrate nightly ETL pipelines. Company policy states that no task may use the MWAA execution role; each task must assume a job-specific IAM role automatically. The team wants to satisfy the policy without refactoring the existing DAG code. Which solution will meet these requirements with the LEAST operational overhead?
Transform each task into an AWS Lambda function that first calls STS:AssumeRole and then performs the workload.
Edit the aws_default Airflow connection in the MWAA environment and set the role_arn extra field to the IAM role that the pipeline should assume.
Create a new Docker image that includes custom Airflow configuration with job-specific credentials and attach it to the MWAA environment.
Store long-lived access keys for each job-specific IAM user in separate Airflow connections and reference them from every task.
Amazon MWAA exposes the standard Airflow connection named "aws_default". By editing this connection in the MWAA console (or with Airflow CLI) and adding the ARN of an IAM role in the role_arn extra field, Airflow's AWSHook automatically calls AWS STS to assume that role. All built-in AWS operators and any custom code that relies on AWSHook or Boto3 inherit those temporary credentials, so no DAG code changes are needed.
Building a custom container image is not supported by MWAA. Adding static credentials directly in a connection violates security best practices and still leaves the execution role in use for other hooks. Wrapping every operator with Lambda vastly increases code and operational overhead. Therefore, updating the existing aws_default connection with the required role_arn is the simplest and most compliant approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon MWAA?
Open an interactive chat with Bash
How does AWS STS AssumeRole work in MWAA?
Open an interactive chat with Bash
Why is using temporary credentials better than static credentials?
Open an interactive chat with Bash
What is the aws_default Airflow connection in Amazon MWAA?
Open an interactive chat with Bash
How does setting the role_arn extra field in aws_default work?
Open an interactive chat with Bash
Why is storing long-lived credentials or refactoring DAG code not recommended?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Operations and Support
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .