DVA-C02 · Question #522
A developer is troubleshooting the permissions of an application that needs to make changes to an Amazon RDS database. The developer has access to the IAM role that the application is using. Which com
The correct answer is A. aws sts assume-role. To test what actions an IAM role can perform, a developer must first assume that role to obtain temporary credentials and then execute commands under those credentials.
Question
A developer is troubleshooting the permissions of an application that needs to make changes to an Amazon RDS database. The developer has access to the IAM role that the application is using. Which command structure should the developer use to test the role permissions?
Options
- Aaws sts assume-role
- Baws iam attach-role-policy
- Caws ssm resume-session
- Daws rds add-role-to-db-cluster
How the community answered
(23 responses)- A83% (19)
- B4% (1)
- C4% (1)
- D9% (2)
Why each option
To test what actions an IAM role can perform, a developer must first assume that role to obtain temporary credentials and then execute commands under those credentials.
The `aws sts assume-role` command uses AWS Security Token Service to return temporary security credentials (access key, secret key, session token) for the specified IAM role. The developer can then use those credentials to invoke AWS API calls and observe whether the role's permissions allow or deny specific actions against RDS.
`aws iam attach-role-policy` modifies the role's permissions by attaching a policy; it does not test existing permissions.
`aws ssm resume-session` resumes a suspended AWS Systems Manager Session Manager session and is unrelated to IAM permission testing.
`aws rds add-role-to-db-cluster` grants an RDS cluster access to other AWS services; it does not test the permissions of an existing IAM role.
Concept tested: Assuming IAM roles to test permissions with STS
Source: https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html
Community Discussion
No community discussion yet for this question.