Which combination of steps should the developers take in Account B to allow their application to access the PII table?
(Choose two.)
Allow the EC2 IAM role the permission to assume the AccessPII role
Allow the EC2 IAM role the permission to access the PII table.
Include the AWS API in the application code logic to obtain temporary credentials from the EC2 IAM role to access the PII table.
Include the AssumeRole API operation in the application code logic to obtain temporary credentials to access the PII table.
Include the GetSessionToken API operation in the application code logic to obtain temporary credentials to access the PII table.
Explanations:
The EC2 IAM role in Account B must have the permission to assume the AccessPII role in Account A to be able to assume it and access the PII table.
The EC2 IAM role in Account B needs permission to assume the AccessPII role, not direct permission to access the PII table. The AccessPII role itself provides access to the table.
The EC2 IAM role doesn’t need to manually obtain temporary credentials. The AssumeRole API is used to automatically retrieve temporary credentials for accessing resources in Account A.
The AssumeRole API operation is required to obtain temporary security credentials for the EC2 IAM role in Account B to assume the AccessPII role in Account A and access the PII table.
The GetSessionToken API operation is not needed in this scenario. It is used to obtain temporary credentials for an AWS user session, but the correct approach here is to assume the AccessPII role via AssumeRole.