Learn how to resolve permission errors when EC2 instances assume roles across AWS accounts using CloudFormation templates and IAM role trust policies.
Table of Contents
Question
A solutions architect is creating an AWS CloudFormation template from an existing manually created non-production AWS environment. The CloudFormation template can be destroyed and recreated as needed. The environment contains an Amazon EC2 instance. The EC2 instance has an instance profile that the EC2 instance uses to assume a role in a parent account.
The solutions architect recreates the role in a CloudFormation template and uses the same role name. When the CloudFormation template is launched in the child account, the EC2 instance can no longer assume the role in the parent account because of insufficient permissions
What should the solutions architect do to resolve this issue?
A. In the parent account, edit the trust policy for the role that the EC2 instance needs to assume. Ensure that the target role ARN in the existing statement that allows the sts:AssumeRole action is correct. Save the trust policy.
B. In the parent account, edit the trust policy for the role that the EC2 instance needs to assume. Add a statement that allows the sts:AssumeRole action for the root principal of the child account. Save the trust policy.
C. Update the CloudFormation stack again. Specify only the CAPABILITY_NAMED_IAM capability.
D. Update the CloudFormation stack again. Specify the CAPABILITY_IAM capability and the CAPABILITY_NAMED_IAM capability.
Answer
A. In the parent account, edit the trust policy for the role that the EC2 instance needs to assume. Ensure that the target role ARN in the existing statement that allows the sts:AssumeRole action is correct. Save the trust policy.
Explanation
The issue arises from the instance profile not having proper permissions to assume the role in the parent account. Editing the trust policy of the role in the parent account to ensure the correct target role ARN is specified will resolve this permission issue.
Incorrect Options:
- Option B: Granting sts:AssumeRole permission to the child account’s root user is overly permissive and a security risk.
- Options C and D: The CAPABILITY_NAMED_IAM capability is used for CloudFormation templates that create IAM resources with custom names. This scenario involves an existing role, so these options are not relevant.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.