DVA-C02 Question #537: Real Exam Question with Answer & Explanation

Question

A developer has an application that uses AWS Security Token Service (AWS STS). The application calls the STS AssumeRole API operation to provide trusted users with temporary security credentials. The application calls AWS STS at the service's default endpoint: https://sts.amazonaws.com. The application is deployed in an Asia Pacific AWS Region. The application is experiencing errors that are related to intermittent latency when the application calls AWS STS. What should the developer do to resolve this issue?

Options

• AUpdate the application to use the GetSessionToken API operation.
• BUpdate the application to use the AssumeRoleWithSAML API operation.
• CUpdate the application to use a Regional STS endpoint that is closer to the application
• DUpdate the application to use the AssumeRoleWithWebldentity API operation. Move the STS

Explanation

Using a Regional STS endpoint closer to the application reduces network latency compared to always routing to the global endpoint in us-east-1.

Common mistakes.

• A. GetSessionToken is used to obtain temporary credentials for IAM users with MFA; it does not replace AssumeRole for trusted cross-account or role-based access and would not reduce latency.
• B. AssumeRoleWithSAML is for SAML 2.0 federation scenarios and is not a substitute for AssumeRole when no SAML identity provider is involved.
• D. AssumeRoleWithWebIdentity is for web identity federation (e.g., Cognito, OIDC); it changes the authentication mechanism entirely rather than addressing the latency caused by the distant global endpoint.

Concept tested. AWS STS Regional endpoints to reduce latency

Reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

No community discussion yet for this question.