🔥 3-day streak
AWS Certified Security - Specialty87 / 184
Question 87 of 184
A security engineer configures cross-account access so that an application role in a production account (Account B) can be assumed by an automation role in a tooling account (Account A). The engineer attached an identity-based policy to the automation role in Account A granting sts:AssumeRole on the target role's ARN. In Account B, the target role's trust policy lists only the AWS service principal 'ec2.amazonaws.com' as a trusted principal, and the target role has a permissions policy allowing the required S3 actions. When the automation role attempts to assume the target role, the AssumeRole call fails with AccessDenied. What is the correct fix?
Reviewed for accuracy · Report an issueNext question