DVA-C02 · Question #479
A company's AWS accounts are in an organization in AWS Organizations. An application in Account A uses environment variables that are stored as parameters in AWS Systems Manager Parameter Store. A dev
The correct answer is B. Create an assumable IAM role in Account A. Grant the role the permission to access the. Option B is correct because AWS IAM role assumption (via STS) is the native, recommended pattern for cross-account access. By creating an IAM role in Account A with a trust policy that allows Account B to assume it, plus a permissions policy granting read access to the Parameter
Question
A company's AWS accounts are in an organization in AWS Organizations. An application in Account A uses environment variables that are stored as parameters in AWS Systems Manager Parameter Store. A developer is creating a new application in Account B that needs to use the same environment variables. The application in Account B needs access to the parameters in Account A without duplicating the parameters into Account B. Which solution will meet these requirements with the LEAST operational overhead?
Options
- AConfigure the application in Account B to use credentials for an IAM user in AccountA that has
- BCreate an assumable IAM role in Account A. Grant the role the permission to access the
- CConfigure cross-account resource sharing for the parameters by using AWS Resource Access
- DWrite a script that stores the parameter values in a private Amazon S3 bucket that both accounts
How the community answered
(30 responses)- A3% (1)
- B83% (25)
- C10% (3)
- D3% (1)
Explanation
Option B is correct because AWS IAM role assumption (via STS) is the native, recommended pattern for cross-account access. By creating an IAM role in Account A with a trust policy that allows Account B to assume it, plus a permissions policy granting read access to the Parameter Store parameters, Account B's application can assume that role at runtime and read the parameters directly - no duplication, no long-term credential management.
- Option A is wrong because sharing IAM user credentials across accounts is a security anti-pattern. Long-term access keys are risky and harder to rotate, and AWS explicitly discourages this approach in favor of role assumption.
- Option C is wrong because AWS Resource Access Manager (RAM) does not support Systems Manager Parameter Store as a shareable resource type - RAM works for resources like VPC subnets, Transit Gateways, and License Manager configurations, not SSM parameters.
- Option D is wrong because copying parameter values into S3 duplicates the data (violating the requirement) and introduces a custom script to maintain, which increases operational overhead significantly.
Memory tip: For cross-account access to AWS services, the answer is almost always IAM role assumption - think "trust policy + permissions policy = cross-account bridge." Any option involving shared IAM user credentials or data duplication is a red flag on the exam.
Topics
Community Discussion
No community discussion yet for this question.