New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SAP-C02 Exam - Topic 8 Question 37 Discussion

Actual exam question for Amazon's SAP-C02 exam
Question #: 37
Topic #: 8
[All SAP-C02 Questions]

A solutions architect is creating an AWS CloudFormation template from an existing manually created non-production AWS environment The CloudFormation template can be destroyed and recreated as needed The environment contains an Amazon EC2 instance The EC2 instance has an instance profile that the EC2 instance uses to assume a role in a parent account

The solutions architect recreates the role in a CloudFormation template and uses the same role name When the CloudFormation template is launched in the child account, the EC2 instance can no longer assume the role in the parent account because of insufficient permissions

What should the solutions architect do to resolve this issue?

Show Suggested Answer Hide Answer
Suggested Answer: A

Edit the Trust Policy:

Go to the IAM console in the parent account and locate the role that the EC2 instance needs to assume.

Edit the trust policy of the role to ensure that it correctly allows the sts

action for the role ARN in the child account.

Update the Role ARN:

Verify that the target role ARN specified in the trust policy matches the role ARN created by the CloudFormation stack in the child account.

If necessary, update the ARN to reflect the correct role in the child account.

Save and Test:

Save the updated trust policy and ensure there are no syntax errors.

Test the setup by attempting to assume the role from the EC2 instance in the child account. Verify that the instance can successfully assume the role and perform the required actions.

This ensures that the EC2 instance in the child account can assume the role in the parent account, resolving the permission issue.

Reference

AWS IAM Documentation on Trust Policies51.


by Nan at Aug 06, 2024, 12:51 PM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Willow
3 months ago
CAPABILITY_NAMED_IAM is the way to go for sure.
upvoted 0 times
...
Rhea
3 months ago
Definitely need to check those permissions!
upvoted 0 times
...
Allene
3 months ago
Wait, can you really assume roles across accounts like that?
upvoted 0 times
...
Willis
4 months ago
I think option B makes the most sense!
upvoted 0 times
...
Theresia
4 months ago
Sounds like a trust policy issue.
upvoted 0 times
...
Nu
4 months ago
I’m leaning towards option A, but I’m worried that just editing the trust policy might not be enough. We might need to check the role ARN too.
upvoted 0 times
...
Wava
4 months ago
I feel like I should know the difference between CAPABILITY_NAMED_IAM and CAPABILITY_IAM, but I can't recall the specifics right now.
upvoted 0 times
...
Edgar
4 months ago
I think option B sounds familiar. We practiced a similar question where we had to allow a role from a different account to assume permissions.
upvoted 0 times
...
Linsey
5 months ago
I remember we discussed trust policies in class, but I'm not entirely sure if editing the trust policy is the right approach here.
upvoted 0 times
...
Ryann
5 months ago
This seems straightforward enough. I think option B is the way to go - edit the trust policy in the parent account to allow the child account to assume the role. Shouldn't be too much work to get that sorted out.
upvoted 0 times
...
Leonardo
5 months ago
I've got a good strategy for this. I'll focus on editing the trust policy in the parent account first, making sure the role ARN is correct and adding the necessary permissions for the child account. That should resolve the issue without needing to mess with the CloudFormation stack.
upvoted 0 times
...
Madalyn
5 months ago
Okay, I'm a bit confused here. Do I need to update the CloudFormation stack and specify some capabilities? Not sure which ones would be the right choice.
upvoted 0 times
...
Nan
5 months ago
Hmm, this is a tricky one. I think I'll need to carefully review the trust policy in the parent account to make sure the target role ARN is correct. Might also need to add a statement to allow the child account to assume the role.
upvoted 0 times
...
Emilio
5 months ago
Hmm, I'm a bit unsure about this one. I'm trying to think through the different options, but I'm not totally sure which one would provide the clearest feedback for employee career growth.
upvoted 0 times
...
Delpha
2 years ago
I'm going with B. Gotta cover all your bases when dealing with cross-account IAM shenanigans.
upvoted 0 times
Nickolas
1 year ago
Definitely, covering all bases with cross-account IAM permissions is crucial for smooth operations.
upvoted 0 times
...
Felix
1 year ago
Agreed, it's important to make sure the EC2 instance has the necessary permissions to assume the role in the parent account.
upvoted 0 times
...
Karrie
1 year ago
I think B is the way to go, adding a statement for the sts AssumeRole action in the trust policy sounds like the right move.
upvoted 0 times
...
...
Louann
2 years ago
Ah, the joys of cloud infrastructure management. At least it's not my problem!
upvoted 0 times
Katie
1 year ago
D) Update the CloudFormation stack again Specify the CAPABIUTYJAM capability and the CAPABILITY_NAMEDJAM capability
upvoted 0 times
...
Delbert
1 year ago
C) Update the CloudFormation stack again Specify only the CAPABILITY_NAMED_IAM capability
upvoted 0 times
...
Eleonora
1 year ago
B) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Add a statement that allows the sts AssumeRole action for the root principal of the child account Save the trust policy
upvoted 0 times
...
Brittani
1 year ago
A) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Ensure that the target role ARN in the existing statement that allows the sts AssumeRole action is correct Save the trust policy
upvoted 0 times
...
...
Pete
2 years ago
I think specifying both CAPABILITY_IAM and CAPABILITY_NAMED_IAM capabilities in the CloudFormation stack update is the best approach
upvoted 0 times
...
Kirk
2 years ago
I believe updating the CloudFormation stack again with only the CAPABILITY_NAMED_IAM capability is the right solution
upvoted 0 times
...
Raylene
2 years ago
I bet the solutions architect is wishing they had a magic wand right about now.
upvoted 0 times
Rashad
1 year ago
B) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Add a statement that allows the sts AssumeRole action for the root principal of the child account Save the trust policy
upvoted 0 times
...
Paulene
2 years ago
A) In the parent account edit the trust policy for the role that the EC2 instance needs to assume Ensure that the target role ARN in the existing statement that allows the sts AssumeRole action is correct Save the trust policy
upvoted 0 times
...
...
Latrice
2 years ago
Hmm, I'm not sure about this one. Gotta read the question carefully.
upvoted 0 times
...
Veronica
2 years ago
I agree with Coral, adding a statement for the sts AssumeRole action for the root principal of the child account should resolve the issue
upvoted 0 times
...
Coral
2 years ago
I think the solutions architect should edit the trust policy for the role in the parent account
upvoted 0 times
...
Lucy
2 years ago
This is a tricky one. I think the answer is B, as the child account needs explicit permission to assume the role in the parent account.
upvoted 0 times
Cherri
1 year ago
That makes sense. It's important to ensure the correct permissions are set up for roles to work properly across accounts.
upvoted 0 times
...
France
1 year ago
Yes, you're right. Adding a statement in the trust policy for the root principal of the child account should resolve the issue.
upvoted 0 times
...
Mabel
2 years ago
I think the answer is B, as the child account needs explicit permission to assume the role in the parent account.
upvoted 0 times
...
Charlene
2 years ago
Yes, that could work too. As long as the EC2 instance has the necessary permissions to assume the role in the parent account.
upvoted 0 times
...
Jesusita
2 years ago
But wouldn't editing the trust policy in the parent account for the role also work?
upvoted 0 times
...
Lea
2 years ago
That makes sense, adding a statement in the trust policy for the root principal of the child account should grant the necessary permissions.
upvoted 0 times
...
Clay
2 years ago
I think the answer is B, as the child account needs explicit permission to assume the role in the parent account.
upvoted 0 times
...
...

Save Cancel