DVA-C02 · Question #557
DVA-C02 Question #557: Real Exam Question with Answer & Explanation
The correct answer is A: "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:states:ap-south-1:111111111111:stateMachine:myStateMachine" } }. Option A is correct because it uses ArnLike with the fully qualified, specific ARN of myStateMachine - including the exact AWS account ID (111111111111) and region (ap-south-1) - ensuring that only that specific state machine can assume the role. The aws:SourceArn condition key i
Question
A company has an AWS Step Functions state machine named myStateMachine. The company configured a service role for Step Functions. The developer must ensure that only the myStateMachine state machine can assume the service role. Which statement should the developer add to the trust policy to meet this requirement? A. B. C. D.
Options
- A"Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:states:ap-south-1:111111111111:stateMachine:myStateMachine" } }
- B"Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:states:ap-south-1:*:stateMachine:myStateMachine" } }
- C"Condition": { "StringEquals": { "aws:SourceAccount": "111111111111" } }
- D"Condition": { "StringNotEquals": { "aws:SourceArn": "arn:aws:states:ap-south-1:111111111111:stateMachine:myStateMachine" } }
Explanation
Option A is correct because it uses ArnLike with the fully qualified, specific ARN of myStateMachine - including the exact AWS account ID (111111111111) and region (ap-south-1) - ensuring that only that specific state machine can assume the role. The aws:SourceArn condition key in a trust policy restricts which resource can assume the role, and using the precise ARN with a real account ID provides the tightest, most secure constraint.
Topics
Community Discussion
No community discussion yet for this question.