nerdexam
Amazon

DVA-C02 · Question #479

A company's AWS accounts are in an organization in AWS Organizations. An application in Account A uses environment variables that are stored as parameters in AWS Systems Manager Parameter Store. A dev

The correct answer is B. Create an assumable IAM role in Account A. Grant the role the permission to access the. Option B is correct because AWS IAM role assumption (via STS) is the native, recommended pattern for cross-account access. By creating an IAM role in Account A with a trust policy that allows Account B to assume it, plus a permissions policy granting read access to the Parameter

Submitted by joshua94· Mar 5, 2026Development with AWS Services

Question

A company's AWS accounts are in an organization in AWS Organizations. An application in Account A uses environment variables that are stored as parameters in AWS Systems Manager Parameter Store. A developer is creating a new application in Account B that needs to use the same environment variables. The application in Account B needs access to the parameters in Account A without duplicating the parameters into Account B. Which solution will meet these requirements with the LEAST operational overhead?

Options

  • AConfigure the application in Account B to use credentials for an IAM user in AccountA that has
  • BCreate an assumable IAM role in Account A. Grant the role the permission to access the
  • CConfigure cross-account resource sharing for the parameters by using AWS Resource Access
  • DWrite a script that stores the parameter values in a private Amazon S3 bucket that both accounts

How the community answered

(30 responses)
  • A
    3% (1)
  • B
    83% (25)
  • C
    10% (3)
  • D
    3% (1)

Explanation

Option B is correct because AWS IAM role assumption (via STS) is the native, recommended pattern for cross-account access. By creating an IAM role in Account A with a trust policy that allows Account B to assume it, plus a permissions policy granting read access to the Parameter Store parameters, Account B's application can assume that role at runtime and read the parameters directly - no duplication, no long-term credential management.

  • Option A is wrong because sharing IAM user credentials across accounts is a security anti-pattern. Long-term access keys are risky and harder to rotate, and AWS explicitly discourages this approach in favor of role assumption.
  • Option C is wrong because AWS Resource Access Manager (RAM) does not support Systems Manager Parameter Store as a shareable resource type - RAM works for resources like VPC subnets, Transit Gateways, and License Manager configurations, not SSM parameters.
  • Option D is wrong because copying parameter values into S3 duplicates the data (violating the requirement) and introduces a custom script to maintain, which increases operational overhead significantly.

Memory tip: For cross-account access to AWS services, the answer is almost always IAM role assumption - think "trust policy + permissions policy = cross-account bridge." Any option involving shared IAM user credentials or data duplication is a red flag on the exam.

Topics

#IAM#Cross-account access#Systems Manager Parameter Store#Security best practices

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice