Home › AWS Solutions Architect Associate › cloudcomputing › securearchitectures › A team wants short-lived credentials (15 minutes…
A team wants short-lived credentials (15 minutes) for an external CI/CD system running OUTSIDE AWS so it can deploy CloudFormation stacks. Which approach is BEST?
ACreate a long-lived IAM user with admin permissions and store its access key in the CI/CD pipeline's environment variables
BDisable IAM and trust the pipeline by IP address only
CConfigure an IAM identity provider (OIDC) for the CI/CD system, define an IAM role with a trust policy, and let the CI/CD pipeline assume the role via STS
DHard-code the AWS root account access key into the CI/CD pipeline
Answer & Solution
Correct answer: C. Configure an IAM identity provider (OIDC) for the CI/CD system, define an IAM role with a trust policy, and let the CI/CD pipeline assume the role via STS
OIDC federation lets external systems (GitHub Actions, GitLab CI, etc.) assume an IAM role and receive short-lived STS credentials — no static AWS keys outside AWS. The other options leak long-lived keys, including the root account, or remove auth entirely.
Related questions
Which AWS feature lets you store and retrieve secrets (database passwords, API tokens) witWhich AWS service enables an organisation to enforce a baseline of security configuration Which combination implements defense-in-depth network segmentation inside a VPC for a publA workload needs to encrypt sensitive S3 objects with keys that the customer creates, rotaAn organisation needs to give a partner read-only access to one specific S3 bucket across Which AWS service is purpose-built to find and classify sensitive data (e.g. PII, credit-cWhich AWS service inspects CloudTrail / VPC flow logs / DNS query logs with ML to detect aAn organisation needs a managed L7 web application firewall to filter SQL injection and cr