ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Security ControlsSecurityEKSIAM

AWS SAP-C02 · Question 52 · Domain 1.2: Security Controls

A company is running a containerized application on Amazon EKS. The application needs to access an Amazon S3 bucket to store user uploads. The security team mandates the principle of least privilege: only the specific pods running the upload service should have access to the S3 bucket, and no other pods in the cluster should have access. How should the Architect implement this?

Answer options:

A.

Use IAM Roles for Service Accounts (IRSA). Create an IAM role with S3 access and associate it with the Kubernetes service account used by the upload pods.

B.

Attach an IAM role with S3 access to the Amazon EKS worker node EC2 instances.

C.

Create an IAM user with S3 access. Store the access keys in a Kubernetes Secret and mount it to the upload pods.

D.

Configure an S3 bucket policy to only allow requests originating from the IP addresses of the upload pods.

How to approach this question

Identify the AWS feature that provides pod-level IAM permissions in EKS.

Full Answer

A.Use IAM Roles for Service Accounts (IRSA). Create an IAM role with S3 access and associate it with the Kubernetes service account used by the upload pods.✓ Correct
Use IAM Roles for Service Accounts (IRSA). Create an IAM role with S3 access and associate it with the Kubernetes service account used by the upload pods.
IAM Roles for Service Accounts (IRSA) is the AWS recommended way to grant IAM permissions to workloads running on Amazon EKS. It leverages OpenID Connect (OIDC) to allow a Kubernetes service account to assume an IAM role. This provides pod-level isolation for IAM permissions, ensuring that only the specific pods that need access to S3 get it, adhering to the principle of least privilege.

Common mistakes

Attaching the IAM role to the EC2 worker node, which grants permissions to all pods on that node.
51All questions53

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →