nerdexam
Amazon

DVA-C02 · Question #522

A developer is troubleshooting the permissions of an application that needs to make changes to an Amazon RDS database. The developer has access to the IAM role that the application is using. Which com

The correct answer is A. aws sts assume-role. To test what actions an IAM role can perform, a developer must first assume that role to obtain temporary credentials and then execute commands under those credentials.

Submitted by haru.x· Mar 5, 2026Security

Question

A developer is troubleshooting the permissions of an application that needs to make changes to an Amazon RDS database. The developer has access to the IAM role that the application is using. Which command structure should the developer use to test the role permissions?

Options

  • Aaws sts assume-role
  • Baws iam attach-role-policy
  • Caws ssm resume-session
  • Daws rds add-role-to-db-cluster

How the community answered

(23 responses)
  • A
    83% (19)
  • B
    4% (1)
  • C
    4% (1)
  • D
    9% (2)

Why each option

To test what actions an IAM role can perform, a developer must first assume that role to obtain temporary credentials and then execute commands under those credentials.

Aaws sts assume-roleCorrect

The `aws sts assume-role` command uses AWS Security Token Service to return temporary security credentials (access key, secret key, session token) for the specified IAM role. The developer can then use those credentials to invoke AWS API calls and observe whether the role's permissions allow or deny specific actions against RDS.

Baws iam attach-role-policy

`aws iam attach-role-policy` modifies the role's permissions by attaching a policy; it does not test existing permissions.

Caws ssm resume-session

`aws ssm resume-session` resumes a suspended AWS Systems Manager Session Manager session and is unrelated to IAM permission testing.

Daws rds add-role-to-db-cluster

`aws rds add-role-to-db-cluster` grants an RDS cluster access to other AWS services; it does not test the permissions of an existing IAM role.

Concept tested: Assuming IAM roles to test permissions with STS

Source: https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice