nerdexam
Amazon

DVA-C02 · Question #537

A developer has an application that uses AWS Security Token Service (AWS STS). The application calls the STS AssumeRole API operation to provide trusted users with temporary security credentials. The

The correct answer is C. Update the application to use a Regional STS endpoint that is closer to the application. Using a Regional STS endpoint closer to the application reduces network latency compared to always routing to the global endpoint in us-east-1.

Submitted by diego_uy· Mar 5, 2026Troubleshooting and Optimization

Question

A developer has an application that uses AWS Security Token Service (AWS STS). The application calls the STS AssumeRole API operation to provide trusted users with temporary security credentials. The application calls AWS STS at the service's default endpoint:

https://sts.amazonaws.com. The application is deployed in an Asia Pacific AWS Region. The application is experiencing errors that are related to intermittent latency when the application calls AWS STS. What should the developer do to resolve this issue?

Options

  • AUpdate the application to use the GetSessionToken API operation.
  • BUpdate the application to use the AssumeRoleWithSAML API operation.
  • CUpdate the application to use a Regional STS endpoint that is closer to the application
  • DUpdate the application to use the AssumeRoleWithWebldentity API operation. Move the STS

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    80% (28)
  • D
    11% (4)

Why each option

Using a Regional STS endpoint closer to the application reduces network latency compared to always routing to the global endpoint in us-east-1.

AUpdate the application to use the GetSessionToken API operation.

GetSessionToken is used to obtain temporary credentials for IAM users with MFA; it does not replace AssumeRole for trusted cross-account or role-based access and would not reduce latency.

BUpdate the application to use the AssumeRoleWithSAML API operation.

AssumeRoleWithSAML is for SAML 2.0 federation scenarios and is not a substitute for AssumeRole when no SAML identity provider is involved.

CUpdate the application to use a Regional STS endpoint that is closer to the applicationCorrect

The default AWS STS endpoint (https://sts.amazonaws.com) resolves to us-east-1, which introduces significant round-trip latency for applications in the Asia Pacific region. Switching to a Regional STS endpoint (e.g., https://sts.ap-southeast-1.amazonaws.com) routes the AssumeRole call to a geographically closer endpoint, substantially reducing latency and intermittent timeout errors.

DUpdate the application to use the AssumeRoleWithWebldentity API operation. Move the STS

AssumeRoleWithWebIdentity is for web identity federation (e.g., Cognito, OIDC); it changes the authentication mechanism entirely rather than addressing the latency caused by the distant global endpoint.

Concept tested: AWS STS Regional endpoints to reduce latency

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice