A company runs an application in a third-party cloud.

Amazon Web Services DVA-C02 Question Answer

A company runs an application in a third-party cloud. The company wants to use the application to update data in AWS by using API calls to AWS services. The API calls require credentials.

The company's security policy requires the company to limit the scope and duration of any credentials used to make API calls to AWS services.

Which solution will meet these requirements in the MOST secure way?

Create an IAM user for the application. Configure the application to load the IAM user's credentials as environment variables. Use the IAM user's credentials to interact with AWS services.

Create an IAM user for the application. Populate an AWS Secrets Manager secret with the IAM user's AWS credentials. Use the secret to interact with AWS services.

Create an IAM role for the application. Configure the application to call the AWS STS GetFederationToken API. Use the STS credentials to interact with AWS services.

Create an IAM role for the application. Configure the application to call the AWS STS AssumeRole API. Use the STS credentials to interact with AWS services.

Explanation:

The key security requirement is to limit both scope and duration of credentials used by an external application (running outside AWS). The most secure AWS-native way to do this is to use temporary security credentials issued by AWS Security Token Service (STS), rather than long-term IAM user access keys. Temporary credentials have a short, configurable lifetime and are tied to permissions defined by an IAM role and (optionally) session policies, which enforces least privilege.

With STS AssumeRole, the application requests temporary credentials for a specific IAM role. The role’s permission policy strictly defines what AWS actions and resources the session can access. The resulting credentials automatically expire, reducing the blast radius if the credentials are exposed. This approach also supports best practices such as rotating session credentials frequently and using external IDs and condition keys (where applicable) to reduce confused-deputy risks.

Options A and B rely on long-term IAM user credentials. Even if stored in environment variables or AWS Secrets Manager, these are still persistent credentials that do not inherently meet the “limit duration” requirement and are higher risk if leaked. Secrets Manager improves storage and rotation workflows, but it does not change the fact that IAM user access keys are long-lived by default.

Option C (GetFederationToken) is not the best fit here. Federation tokens are typically used to obtain temporary credentials for a federated user session and are commonly associated with IAM users (or scenarios like providing temporary access to third parties) rather than the standard, role-based pattern for an application assuming permissions. The most direct and widely recommended method for applications needing scoped, time-bound AWS access is AssumeRole.

Therefore, D is the most secure solution: create an IAM role with least-privilege permissions and have the application call STS AssumeRole to obtain short-lived credentials for AWS API calls.

Amazon Web Services DVA-C02 View All Questions

Amazon Web Services DVA-C02 Summary

Vendor: Amazon Web Services
Product: DVA-C02
Update on: Mar 11, 2026
Questions: 519

Price: $52.5 ~~$149.99~~

Buy Now DVA-C02 PDF + Testing Engine Pack

A company has implemented AWS CodeDeploy as part of its CI/CD pipeline.

A developer is writing a new serverless application for a company.

Spring Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmasmnth

A company runs an application in a third-party cloud.

The Answer Is:

Explanation:

Amazon Web Services DVA-C02 Summary

Payments We Accept

Contact Us