Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › Which IAM feature lets a developer's IAM role te…
Which IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-like role in a different AWS account, scoped to a specific session policy?
AStatically copy the target account's root credentials
BMake every IAM user the AWS account root
CDisable cross-account IAM
DAWS Security Token Service (STS) AssumeRole with an attached session policy
Answer & Solution
Correct answer: D. AWS Security Token Service (STS) AssumeRole with an attached session policy
STS AssumeRole + an inline session policy lets a principal assume a target role for a bounded window with further-restricted permissions. The other options are credential-theft anti-patterns.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enWhich approach correctly handles environment-specific configuration (DB endpoints, featureAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMA Lambda function reads database credentials at cold start from AWS Secrets Manager and caAn API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. WhWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w