Question 27

Domain 4: Identity and Access Management

A company that uses GitHub Actions needs to use a workflow to deploy AWS services. A security engineer must set up authentication between the GitHub Actions workflow and the company's AWS account. The solution must involve no static credentials and no long-lived credentials for access to AWS Additionally, the workflow must be able to run without requiring any manual changes. Which solution will meet these requirements?

A. Create an 1AM user Attach an 1AM policy to the 1AM user Use the AWS CLI to generate temporary credentials for the 1AM user Use the access key, secret key, and session token to authenticate to AWS from the workflow. B. Enable AWS 1AM Identity Center and configure it to use a local directory. Create a new service user in the 1AM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user Use the user ID and session token to authenticate to AWS from the workflow. C. Create an OpenID Connect (OIDC) identity provider (IdP) in 1AM Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that contains condition keys to restrict the GitHub repositones that will run the workflow. Use the role ARN to authenticate to AWS from the workflow. D. Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP) Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that allows the sts AssumeRole action for Cognito Configure the workflow in GitHub to authenticate against the SAML IdP.

Correct answer: C

Explanation

AWS supports federated access with OpenID Connect, which avoids "static credentials" and "long-lived credentials" by letting GitHub Actions assume an IAM role. The role trust policy can use condition keys to restrict which GitHub repositories may assume it, and the workflow can use the role ARN for automatic authentication without manual changes.

Why each option is right or wrong

IAM user access keys still introduce managed credentials and are not the preferred keyless federation pattern.

B. Enable AWS 1AM Identity Center and configure it to use a local directory. Create a new service user in the 1AM Identity Center directory. Use the AWS CLI to generate temporary credentials for the service user Use the user ID and session token to authenticate to AWS from the workflow.

IAM Identity Center is designed for workforce access, not unattended GitHub workflow authentication.

C. Create an OpenID Connect (OIDC) identity provider (IdP) in 1AM Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that contains condition keys to restrict the GitHub repositones that will run the workflow. Use the role ARN to authenticate to AWS from the workflow.

Under IAM federation, an OpenID Connect provider can be created for GitHub and paired with an IAM role that is assumed via `sts:AssumeRoleWithWebIdentity`, which uses short-lived STS credentials instead of access keys. The trust policy can scope access with condition keys such as `token.actions.githubusercontent.com:sub` and `aud` so only the specified repository/workflow can assume the role, satisfying the no-static, no-long-lived-credentials requirement in a fully automated workflow.

D. Configure Amazon Cognito and create an identity pool. Configure the identity pool for a SAML identity provider (IdP) Use GitHub as the provider. Create an 1AM role Attach the role to a trust policy that allows the sts AssumeRole action for Cognito Configure the workflow in GitHub to authenticate against the SAML IdP.

Cognito identity pools are for application user identities, not standard GitHub Actions-to-AWS CI/CD federation.

Previous Next