Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam SAP-C02 Topic 8 Question 37 Discussion

Actual exam question for Amazon's SAP-C02 exam
Question #: 37
Topic #: 8
[All SAP-C02 Questions]

A solutions architect is creating an AWS CloudFormation template from an existing manually created non-production AWS environment The CloudFormation template can be destroyed and recreated as needed The environment contains an Amazon EC2 instance The EC2 instance has an instance profile that the EC2 instance uses to assume a role in a parent account

The solutions architect recreates the role in a CloudFormation template and uses the same role name When the CloudFormation template is launched in the child account, the EC2 instance can no longer assume the role in the parent account because of insufficient permissions

What should the solutions architect do to resolve this issue?

Show Suggested Answer Hide Answer
Suggested Answer: A

Edit the Trust Policy:

Go to the IAM console in the parent account and locate the role that the EC2 instance needs to assume.

Edit the trust policy of the role to ensure that it correctly allows the sts

action for the role ARN in the child account.

Update the Role ARN:

Verify that the target role ARN specified in the trust policy matches the role ARN created by the CloudFormation stack in the child account.

If necessary, update the ARN to reflect the correct role in the child account.

Save and Test:

Save the updated trust policy and ensure there are no syntax errors.

Test the setup by attempting to assume the role from the EC2 instance in the child account. Verify that the instance can successfully assume the role and perform the required actions.

This ensures that the EC2 instance in the child account can assume the role in the parent account, resolving the permission issue.

Reference

AWS IAM Documentation on Trust Policies51.


by Nan at Aug 06, 2024, 12:51 PM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Delpha
3 months ago
I'm going with B. Gotta cover all your bases when dealing with cross-account IAM shenanigans.
upvoted 0 times
Nickolas
3 months ago
Definitely, covering all bases with cross-account IAM permissions is crucial for smooth operations.
upvoted 0 times
...
Felix
3 months ago
Agreed, it's important to make sure the EC2 instance has the necessary permissions to assume the role in the parent account.
upvoted 0 times
...
Karrie
3 months ago
I think B is the way to go, adding a statement for the sts AssumeRole action in the trust policy sounds like the right move.
upvoted 0 times
...
...
Louann
4 months ago
Ah, the joys of cloud infrastructure management. At least it's not my problem!
upvoted 0 times
Katie
2 months ago
D) Update the CloudFormation stack again Specify the CAPABIUTYJAM capability and the CAPABILITY_NAMEDJAM capability
upvoted 0 times
...
Delbert
2 months ago
C) Update the CloudFormation stack again Specify only the CAPABILITY_NAMED_IAM capability
upvoted 0 times
...
Eleonora
3 months ago
B) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Add a statement that allows the sts AssumeRole action for the root principal of the child account Save the trust policy
upvoted 0 times
...
Brittani
3 months ago
A) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Ensure that the target role ARN in the existing statement that allows the sts AssumeRole action is correct Save the trust policy
upvoted 0 times
...
...
Pete
4 months ago
I think specifying both CAPABILITY_IAM and CAPABILITY_NAMED_IAM capabilities in the CloudFormation stack update is the best approach
upvoted 0 times
...
Kirk
4 months ago
I believe updating the CloudFormation stack again with only the CAPABILITY_NAMED_IAM capability is the right solution
upvoted 0 times
...
Raylene
4 months ago
I bet the solutions architect is wishing they had a magic wand right about now.
upvoted 0 times
Rashad
3 months ago
B) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Add a statement that allows the sts AssumeRole action for the root principal of the child account Save the trust policy
upvoted 0 times
...
Paulene
4 months ago
A) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Ensure that the target role ARN in the existing statement that allows the sts AssumeRole action is correct Save the trust policy
upvoted 0 times
...
...
Latrice
4 months ago
Hmm, I'm not sure about this one. Gotta read the question carefully.
upvoted 0 times
...
Veronica
4 months ago
I agree with Coral, adding a statement for the sts AssumeRole action for the root principal of the child account should resolve the issue
upvoted 0 times
...
Coral
4 months ago
I think the solutions architect should edit the trust policy for the role in the parent account
upvoted 0 times
...
Lucy
4 months ago
This is a tricky one. I think the answer is B, as the child account needs explicit permission to assume the role in the parent account.
upvoted 0 times
Cherri
3 months ago
That makes sense. It's important to ensure the correct permissions are set up for roles to work properly across accounts.
upvoted 0 times
...
France
3 months ago
Yes, you're right. Adding a statement in the trust policy for the root principal of the child account should resolve the issue.
upvoted 0 times
...
Mabel
3 months ago
I think the answer is B, as the child account needs explicit permission to assume the role in the parent account.
upvoted 0 times
...
Charlene
4 months ago
Yes, that could work too. As long as the EC2 instance has the necessary permissions to assume the role in the parent account.
upvoted 0 times
...
Jesusita
4 months ago
But wouldn't editing the trust policy in the parent account for the role also work?
upvoted 0 times
...
Lea
4 months ago
That makes sense, adding a statement in the trust policy for the root principal of the child account should grant the necessary permissions.
upvoted 0 times
...
Clay
4 months ago
I think the answer is B, as the child account needs explicit permission to assume the role in the parent account.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77