Skip to main content

AWS DVA-C02 Drill: Cross-Account Access - Secure Temporary Credentials

·666 words·4 mins·
Certification Drills AWS DVA-C02 STS AssumeRole
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.

For AWS DVA-C02 candidates, the confusion often lies in distinguishing temporary credential management mechanisms and their integration with the SDK.

In production, this is about knowing exactly how to securely and programmatically grant scoped, short-lived access while avoiding static secrets leakage. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

TechNova Labs is building a SaaS platform that integrates resources across multiple AWS accounts to provide isolated customer environments. A developer needs to programmatically access an S3 bucket in a secondary AWS account for data processing during runtime. The access should be temporary, secure, and follow best practices for cross-account resource access.

The Requirement:
#

What is the MOST secure and efficient approach for the developer to obtain temporary access to the resources in the second AWS account?

The Options
#

  • A) Use Amazon Cognito user pools to obtain short-lived credentials for the second account.
  • B) Create a dedicated IAM access key in the second account and send it by email to the developer.
  • C) Create a cross-account IAM role, and use the sts:AssumeRole API call to receive short-lived credentials for the second account.
  • D) Establish trust between accounts and add an SSH public key for the second account to the IAM user credentials.

Google adsense
#

leave a comment:

Correct Answer
#

C

Quick Insight: The Developer API Credential Management Imperative
#

  • Using sts:AssumeRole delivers short-lived, scoped credentials that drastically reduce security risk by avoiding long-term secrets.
  • This aligns perfectly with SDK patterns, enabling automated, scalable, and secure cross-account resource access.
  • Other options either misuse services designed for different purposes, or dangerously expose permanent credentials.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option C

The Winning Logic
#

The most secure and AWS recommended approach to grant temporary cross-account access is:

  • Create an IAM role in the target (second) account with the needed permissions and trust policy allowing the primary account’s IAM user or role to assume it.
  • Have the developer’s application call the sts:AssumeRole API to get temporary security credentials. These credentials have a limited lifetime and scoped permissions, minimizing risk if compromised.
  • This integrates seamlessly with AWS SDKs and CLI, ensures compliance with best practices, and avoids the management overhead and risk of long-lived access keys.

The Trap (Distractor Analysis):
#

  • Why not A? Amazon Cognito user pools provide user authentication and custom identity management, but they do not directly issue STS credentials for cross-account roles and are unrelated to cross-account IAM role assumptions.
  • Why not B? Creating a dedicated long-term IAM access key and transmitting it via email exposes a serious security vulnerability due to credential leakage risks and lack of key rotation.
  • Why not D? SSH key pairs are not a method for granting AWS API permissions or cross-account access. IAM does not support SSH keys for API-level cross-account authentication.

The Technical Blueprint
# 

# Example CLI command to assume a role in a second account
aws sts assume-role \
    --role-arn arn:aws:iam::123456789012:role/CrossAccountAccessRole \
    --role-session-name DemoSession

The Comparative Analysis
#

Option API Complexity Performance Use Case
A Medium (Cognito setup) Moderate User auth, not cross-account access
B Low (IAM key creation) High risk, static Permanent credentials, insecure
C Low (AssumeRole API) Highly efficient Temporary scoped cross-account access
D N/A N/A Invalid for AWS API access

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick sts:AssumeRole when you see cross-account temporary access keywords.

Real World
#

In reality, developers often combine this with CI/CD pipelines and AWS SDK environment variables to automate secure access tokens retrieval at runtime without manual secret handling.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.