🔥 3-day streak
AWS Certified Security - Specialty167 / 184
Question 167 of 184
A company uses a central identity account. Developers assume a role named DevAccess in a workload account via 'sts:AssumeRole'. The DevAccess role's identity-based policy grants access to Secrets Manager secrets only when the request includes a principal tag matching the secret's 'team' tag, using a condition on 'aws:PrincipalTag/team'. Developers report AccessDenied when retrieving secrets even though their IAM users in the identity account have a 'team' tag set. What is the MOST likely cause and correct fix?
Reviewed for accuracy · Report an issueNext question