Topic 1 Question 480
A solutions architect is creating an AWS CloudFormation template from an existing manually created non-production AWS environment. The CloudFormation template can be destroyed and recreated as needed. The environment contains an Amazon EC2 instance. The EC2 instance has an instance profile that the EC2 instance uses to assume a role in a parent account.
The solutions architect recreates the role in a CloudFormation template and uses the same role name. When the CloudFormation template is launched in the child account, the EC2 instance can no longer assume the role in the parent account because of insufficient permissions
What should the solutions architect do to resolve this issue?
In the parent account, edit the trust policy for the role that the EC2 instance needs to assume. Ensure that the target role ARN in the existing statement that allows the sts:AssumeRole action is correct. Save the trust policy.
In the parent account, edit the trust policy for the role that the EC2 instance needs to assume. Add a statement that allows the sts:AssumeRole action for the root principal of the child account. Save the trust policy.
Update the CloudFormation stack again. Specify only the CAPABILITY_NAMED_IAM capability.
Update the CloudFormation stack again. Specify the CAPABILITY_IAM capability and the CAPABILITY_NAMED_IAM capability.
ユーザの投票
コメント(14)
Answer is A . The error occurs because the trust relationship in the parent account that allows the EC2 instance to assume a role may have been broken or misconfigured. This can happen when a role is recreated with a different ARN but the same role name. The trust policy must be updated to reflect the correct ARN. Option A addresses this by ensuring that the trust policy in the parent account contains the correct ARN for the role in the child account, allowing the sts:AssumeRole action. Option B, which allows the root principal to assume the role, is risky and should be avoided due to security implications.
👍 8SKS2024/04/27- 正解だと思う選択肢: A
It is A. B is incorrect because specifying the root principal opens access up to all principals in the child account that are allowed to use sts.
👍 5jtzt20032024/04/27 - 正解だと思う選択肢: A
Should be "A".
👍 4titi_r2024/05/25
シャッフルモード