AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company is modernizing a monolithic application into a set of microservices running on Amazon EKS. Several of the new microservices, running in separate pods, require access to different AWS services, including Amazon S3 buckets and Amazon DynamoDB tables. The company's security policy strictly prohibits the use of long-lived IAM user access keys within applications or on the underlying compute instances. The solution must provide granular, pod-level permissions and adhere to the principle of least privilege.
Which approach should a solutions architect recommend to meet these requirements in the most secure and scalable manner?
Configure IAM Roles for Service Accounts (IRSA), creating a unique IAM role for each microservice's permission set and associating each role with the corresponding Kubernetes service account.
Create distinct IAM users for each microservice, generate long-lived access keys, and store these keys as Kubernetes Secrets. Mount the secrets into the respective pods as environment variables.
Create a single IAM role that contains all necessary permissions for all microservices and attach this role to the EC2 instance profile used by the EKS worker nodes.
Install and configure an open-source tool, such as kube2iam or kiam, on the EKS cluster to intercept metadata API calls and associate IAM roles with pods based on annotations.
IAM Roles for Service Accounts (IRSA) allows you to associate an IAM role with a Kubernetes service account. Each pod that uses the service account receives short-lived AWS STS credentials scoped to the permissions defined in that role, giving true pod-level isolation and eliminating long-lived keys. This satisfies least-privilege requirements and avoids exposing an overly broad node instance profile. Although Amazon EKS now offers Pod Identity (the preferred option for new clusters), IRSA remains a fully supported native solution and is still superior to node-level roles, static IAM user keys, or third-party credential proxies such as kube2iam or kiam for clusters that have not yet enabled Pod Identity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does IRSA provide pod-level permissions in EKS?
Open an interactive chat with Bash
What are the advantages of using IRSA over kube2iam or kiam in EKS?
Open an interactive chat with Bash
Why are long-lived IAM user access keys discouraged in this scenario?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .