A company has an Amazon S3 bucket that contains sensitive data files. The company runs an application on virtual machines in an on-premises data center and uses AWS IAM Identity Center. The application requires temporary access to the S3 objects. The company wants to grant the application secure access to the S3 bucket. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use IAM Roles Anywhere to obtain security credentials in IAM Identity Center that grant access to the S3 bucket. Configure the virtual machines to assume the role by using the AWS CLI..
Why this is the answer
IAM Roles Anywhere allows on-premises workloads, like the application running on virtual machines, to obtain temporary AWS credentials from IAM Identity Center. This eliminates the need to manage long-term AWS credentials on-premises, enhancing security. The virtual machines can then use these temporary credentials to assume an IAM role with permissions to the S3 bucket via the AWS CLI. Creating an S3 bucket policy based on public IP ranges is insecure and difficult to manage, especially if IP addresses change. Installing the AWS CLI with static IAM user access keys is a security risk as these are long-term credentials. Storing access keys in Secrets Manager and retrieving them at startup is better than hardcoding, but still relies on long-term IAM user credentials, which is less secure than temporary credentials provided by IAM Roles Anywhere.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed