AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An organization runs its CI/CD pipelines in AWS CodeBuild inside account A. The build process must deploy AWS CloudFormation stacks into account B without storing long-lived credentials. According to AWS best practices, which approach should a CloudOps engineer implement to grant the pipelines the required permissions?
Create an IAM user in account B with CloudFormation permissions, generate access keys, store them in AWS Secrets Manager, and reference the secret from the CodeBuild project.
Attach an inline policy with CloudFormation permissions to each developer's IAM user in account A and export their access keys as environment variables for the build project.
Create an IAM role in account B with the required CloudFormation permissions, add a trust policy allowing the CodeBuild service role from account A to assume it, and have the build process call sts:AssumeRole to obtain temporary credentials.
Enable resource sharing with AWS Resource Access Manager between the two accounts and attach a permission boundary to the CodeBuild service role that includes CloudFormation permissions in account B.
The recommended pattern for cross-account automation is to use an IAM role in the target account that the automation can assume. The engineer should create an IAM role in account B that includes the permissions needed to deploy CloudFormation stacks. The role's trust policy lists the ARN of the CodeBuild service role from account A, allowing that principal to call sts:AssumeRole. During the build, the CodeBuild project uses its service role to assume the cross-account role and receives temporary credentials, eliminating the need to store access keys.
Granting developers individual policies and exporting their keys exposes long-lived credentials and does not scale. Creating an IAM user with stored keys still relies on long-term secrets rather than temporary credentials. AWS Resource Access Manager shares resources, not IAM permissions, so it cannot satisfy the requirement. Therefore, attaching a cross-account assumable role in account B is the only solution that meets AWS security best practices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is sts:AssumeRole in AWS?
Open an interactive chat with Bash
What is a trust policy in an IAM role?
Open an interactive chat with Bash
Why are temporary credentials preferred over long-lived credentials in AWS?
Open an interactive chat with Bash
What is the AssumeRole action in AWS and how does it work?
Open an interactive chat with Bash
What is a trust policy in AWS and why is it important for cross-account access?
Open an interactive chat with Bash
Why should long-lived credentials be avoided in AWS, and what are the alternatives?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .