Q70 — AWS DOP-C02 Ch.3

Question 70 of 100 | ← Chapter 3

A global company uses AWS Control Tower to manage multiple AWS accounts. The company hosts internal applications and public-facing applications. Each application team has its own AWS account to host its application. Accounts are consolidated into a single organization in AWS Organizations. One AWS Control Tower member account serves as a centralized DevOps account hosting CI/CD pipelines; application teams use this account to deploy applications to their respective target AWS accounts. Deployment IAM roles exist in the centralized DevOps account.

Correct Answer: A. Configure the application account’s deployment IAM role to trust the centralized DevOps account. Configure the trust relationship to allow the sts:AssumeRole action. Configure the application account’s deployment IAM role with permissions required to access the EKS cluster. Configure the EKS cluster’s aws-auth ConfigMap to map the role to appropriate Kubernetes RBAC permissions.

Explanation

This question addresses cross-account IAM permission configuration, specifically for accessing EKS clusters across accounts. Per AWS documentation, cross-account access typically requires creating an IAM role in the target (application) account with a trust policy allowing the source (DevOps) account to assume it. Additionally, the EKS cluster’s aws-auth ConfigMap must map the assumed IAM role to Kubernetes RBAC permissions. Option A correctly establishes the trust relationship in the application account, enables sts:AssumeRole from the DevOps account, and configures EKS RBAC mapping. Other options either reverse the trust direction (B, C), use irrelevant SAML-based assumptions (C), or unnecessarily involve the Control Tower management account (D).