Skip to main content

AWS DVA-C02 Drill: CodeCommit Multi-Account Access - IAM Identity Center vs. Individual IAM Roles

·1461 words·7 mins·
Certification Drills AWS DVA-C02 CodeCommit IAM Identity Center Multi-Account Authentication Git Credentials
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Jeff’s Note"
#

“Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.”

“For DVA-C02 candidates, the confusion often lies in understanding when to centralize identity management versus managing IAM users individually. In production, this is about knowing exactly how IAM Identity Center (formerly AWS SSO) simplifies credential lifecycle management across multiple AWS accounts. The exam loves testing whether you understand the operational overhead difference between individual IAM roles and centralized permission sets. Let’s drill down.”

The Certification Drill (Simulated Question)
#

Scenario
#

GlobalTech Solutions operates a distributed software engineering organization with development teams across North America, Europe, and Asia. They use AWS CodeCommit repositories spread across five separate AWS accounts (dev, test, staging, prod-us, prod-eu) for microservices version control. The company is onboarding 30 new remote developers over the next quarter who need secure Git access to repositories across these accounts. The security team mandates centralized access auditing, and the DevOps lead requires a solution that minimizes credential rotation overhead and eliminates long-term access key management.

The Requirement:
#

Implement a secure authentication mechanism for CodeCommit that supports multi-account access, scales efficiently for a geographically distributed team, and minimizes operational management overhead.

The Options
#

  • A) Create individual IAM roles in each AWS account for every developer and configure trust relationships manually.
  • B) Configure permission sets in AWS IAM Identity Center to grant cross-account access to CodeCommit repositories.
  • C) Generate AWS access keys for each developer and distribute them via encrypted email for direct repository access.
  • D) Deploy SSH key pairs to each developer and register the public keys in IAM users across all five accounts.

Correct Answer
#

Option B.

Quick Insight: The Developer Efficiency Imperative
#

For DVA-C02, this tests your understanding of authentication mechanisms at scale. While individual IAM roles (A) work technically, they create exponential management complexity (5 accounts × 30+ developers = 150+ role configurations). IAM Identity Center uses permission sets that propagate to multiple accounts automatically, and developers authenticate once with temporary credentials—exactly what Git credential helpers need for CodeCommit HTTPS access.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option B: Configure permission sets in AWS IAM Identity Center to grant access to the accounts

The Winning Logic
#

IAM Identity Center (formerly AWS SSO) is the AWS-native service for centralizing workforce identity management across multiple accounts within an AWS Organization.

Why this is the developer-optimized solution:

  • Single Sign-On Experience: Developers authenticate once through the Identity Center portal and assume roles across all linked accounts without managing separate credentials per account.
  • Permission Set Propagation: A permission set (e.g., “CodeCommitDeveloper”) is defined once and automatically creates corresponding IAM roles in all member accounts. Adding a new account? The permission set propagates automatically.
  • Temporary Credential Flow: When developers use git-remote-codecommit or the AWS CLI credential helper, IAM Identity Center issues short-lived STS credentials (typically 1-hour sessions), eliminating long-term access key management.
  • Centralized Auditing: All authentication events flow to CloudTrail in the management account, providing a unified audit trail—critical for the DVA-C02 exam’s operational best practices focus.
  • Git Credential Helper Integration: Works seamlessly with git-remote-codecommit (the preferred CodeCommit access method for developers):
# Developer workflow with Identity Center
aws configure sso
# Configures SSO profile in ~/.aws/config

git clone codecommit::us-east-1://my-repo
# Automatically uses SSO session credentials

Operational Efficiency Calculation:

  • Without Identity Center: 5 accounts × 30 users × 2 actions (create role + attach policy) = 300 manual operations
  • With Identity Center: 1 permission set + 30 user assignments = 31 operations (99% reduction)

The Trap (Distractor Analysis)
#

Why not A (Individual IAM roles per developer)?

  • Configuration Explosion: Creating IAM roles per developer in each account creates N×M complexity (developers × accounts). Every new hire or termination requires changes across all accounts.
  • No Native SSO: Developers would need to manually assume roles using aws sts assume-role, which doesn’t integrate cleanly with Git credential helpers.
  • Audit Fragmentation: Access logs scattered across five accounts make compliance reviews cumbersome.
  • Exam Keyword Miss: The question specifies “MOST operationally efficient”—this is AWS exam code for “avoid repetitive manual actions.”

Why not C (Shared AWS access keys)?

  • Security Anti-Pattern: Long-term access keys violate AWS security best practices. They don’t expire automatically and are prone to leakage (especially via .git/config or IDE plugins).
  • Rotation Nightmare: The AWS Security Best Practices whitepaper mandates 90-day key rotation—imagine rotating keys for 30 developers across 5 accounts every quarter.
  • No MFA Enforcement: Access keys bypass MFA policies, which Identity Center can mandate.
  • Credential Leakage Risk: Keys stored in Git configuration files or credential helpers can be accidentally committed to repositories (common developer mistake the exam tests).

Why not D (Public SSH keys)?

  • Partially Valid but Operationally Inefficient: SSH keys do work with CodeCommit, but you must upload each developer’s public key to IAM users in each account separately.
  • Account-Bound Keys: An SSH key uploaded to the dev account doesn’t grant access to the prod-us account—you’d need to duplicate key uploads across all five accounts (150 manual uploads for 30 developers).
  • No Centralized Deprovisioning: Removing access requires deleting SSH key entries from IAM users in five separate accounts—error-prone and slow.
  • Lacks Modern Workflow Integration: SSH doesn’t integrate with temporary credential providers like IAM Identity Center sessions.

The Technical Blueprint
# 

# Step 1: Enable IAM Identity Center (in the AWS Organization management account)
aws sso-admin create-instance --region us-east-1

# Step 2: Create a Permission Set for CodeCommit developers
aws sso-admin create-permission-set \
  --instance-arn arn:aws:sso:::instance/ssoins-123456 \
  --name CodeCommitDeveloper \
  --session-duration PT8H

# Step 3: Attach AWS managed policy to the permission set
aws sso-admin attach-managed-policy-to-permission-set \
  --instance-arn arn:aws:sso:::instance/ssoins-123456 \
  --permission-set-arn arn:aws:sso:::permissionSet/ssoins-123456/ps-123456 \
  --managed-policy-arn arn:aws:iam::aws:policy/AWSCodeCommitPowerUser

# Step 4: Assign users to accounts with this permission set
aws sso-admin create-account-assignment \
  --instance-arn arn:aws:sso:::instance/ssoins-123456 \
  --target-id 111122223333 \
  --target-type AWS_ACCOUNT \
  --permission-set-arn arn:aws:sso:::permissionSet/ssoins-123456/ps-123456 \
  --principal-type USER \
  --principal-id user-id-from-identity-store

# Developer-side: Configure Git to use CodeCommit with Identity Center
aws configure sso
# Follow prompts to authenticate

# Configure Git credential helper (one-time setup)
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

# Clone repository using HTTPS (credentials auto-fetched from SSO session)
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo

Key Developer API Interactions:

  • sso:Authenticate → User logs into Identity Center portal
  • sso:GetRoleCredentials → Retrieves temporary credentials for the assigned role
  • codecommit:GitPull / codecommit:GitPush → Authorized via the temporary credentials from the permission set

The Comparative Analysis
#

Option API Complexity Operational Overhead Credential Lifecycle Multi-Account Scalability Use Case
B - IAM Identity Center Low (native SSO integration) Minimal (centralized permission sets) Automatic (1-12 hour sessions) Excellent (permission sets propagate) Distributed teams, multi-account environments
A - Individual IAM Roles High (manual assume-role per account) Very High (N×M configurations) Manual rotation required Poor (linear scaling per account) Small teams, single account
C - Access Keys Medium (static credentials) Very High (quarterly rotation × 30 devs × 5 accounts) Manual 90-day rotation Poor (key duplication needed) Security anti-pattern
D - SSH Keys Medium (key upload to IAM) High (upload to each account separately) Manual key rotation Moderate (keys must be duplicated) Legacy Git workflows, single account

DVA-C02 Exam Pattern Recognition:

  • Keywords like “multiple accounts” + “operationally efficient” = Strong signal for IAM Identity Center
  • “Secure access” + “expanding team” = Centralized identity management (not individual credentials)

Real-World Application (Practitioner Insight)
#

Exam Rule
#

“For DVA-C02, when you see multi-account CodeCommit access combined with operational efficiency or centralized management, always choose IAM Identity Center (AWS SSO). If the scenario mentions a single account with a small team, IAM users with SSH keys are acceptable.”

Real World
#

“In production, we actually combine Identity Center with Attribute-Based Access Control (ABAC). For example, we tag repositories with Environment:Dev and grant permission sets that allow access only to repos matching a developer’s assigned environment tag. This adds fine-grained control without creating separate permission sets per team. Also, for CI/CD pipelines (CodePipeline, Jenkins), we still use IAM roles for service accounts with OIDC federation—not Identity Center, since automated systems don’t perform interactive logins. The exam focuses on human user access patterns.”

Debugging Tip for Developers: If git push fails with “403 Forbidden” when using Identity Center:

  1. Check session expiration: aws sts get-caller-identity (if expired, run aws sso login)
  2. Verify the permission set includes codecommit:GitPush (not just GitPull)
  3. Ensure the repository policy doesn’t have explicit Deny statements overriding your permissions

Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the DVA-C02 exam. AWS service features and best practices evolve—always consult the official AWS Documentation and IAM Identity Center User Guide for the latest implementation patterns.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.