Which combination of steps should the developers take in Account B to allow their application to access the PII table?
(Choose two.)
Allow the EC2 IAM role the permission to assume the AccessPII role.
Allow the EC2 IAM role the permission to access the PII table.
Include the AWS API in the application code logic to obtain temporary credentials from the EC2 IAM role to access the PII table.
Include the AssumeRole API operation in the application code logic to obtain temporary credentials to access the PII table.
Include the GetSessionToken API operation in the application code logic to obtain temporary credentials to access the PII table.
Explanations:
The EC2 IAM role in Account B needs permission to assume the AccessPII role in Account A. This allows the application to use the credentials of AccessPII to access the PII table.
The EC2 IAM role should not directly access the PII table since it needs to assume the AccessPII role first. Permissions to access the table should be granted to the AccessPII role, not directly to the EC2 role.
While the application may require AWS API calls, this option does not specify using the AssumeRole API, which is necessary to obtain temporary credentials. Instead, it incorrectly suggests obtaining credentials from the EC2 IAM role directly, which won’t have the required permissions without assuming the AccessPII role first.
The application should include the AssumeRole API operation to obtain temporary credentials for the AccessPII role. This allows the application to access the PII table with the permissions granted to AccessPII.
The GetSessionToken API operation is used for obtaining temporary security credentials for users, but it is not appropriate in this context as it does not facilitate the cross-account role assumption needed to access the PII table.
I figure that the answer is:
Allow the EC2 IAM role the permission to assume the AccessPII role.