AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A company's Dev account runs an application on Amazon EC2 that must read an encrypted parameter stored in AWS Systems Manager Parameter Store in the company's SharedServices account. Storing static credentials on the instance is prohibited. Which solution provides secure, least-privilege cross-account access while removing the need for long-lived credentials?
Create access keys for a new IAM user in SharedServices that has ssm:GetParameter permission and store the keys as environment variables on the EC2 instance.
Enable resource-based policies for Parameter Store and add the Dev account's root as a principal with ssm:GetParameter permission; continue using the existing EC2 role without changes.
Create an IAM role in SharedServices that allows ssm:GetParameter on the required parameter and trust principals from the Dev account. Update the EC2 instance's role to call sts:AssumeRole for that role and use the returned temporary credentials.
Attach an inline policy to the EC2 instance role in Dev that grants ssm:GetParameter on the parameter's ARN; no other configuration is needed.
The secure way to delegate access across AWS accounts is to create an IAM role in the owning account and configure a trust policy that allows a principal in the other account to assume that role. The role grants only the permissions required-in this case, ssm:GetParameter on the specific parameter. The EC2 instance in the Dev account is associated with an instance-profile role that has permission to call sts:AssumeRole on the target role's ARN. The temporary credentials returned by STS let the application read the parameter without storing long-lived keys. Creating users or sharing access keys violates best practices, and adding permissions to the Dev role alone will not satisfy the cross-account trust requirement because the Parameter Store resource lives in a different account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of sts:AssumeRole in cross-account access?
Open an interactive chat with Bash
Why is storing static credentials on an EC2 instance considered a bad practice?
Open an interactive chat with Bash
How does AWS Systems Manager Parameter Store support secure access to parameters across accounts?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .