AWS Config IAM Role Setup

AWS Config IAM Role

Prev Question Next Question

Question

You are planning to use AWS Config to check the configuration of the resources in your AWS account.

You are planning to use an existing IAM role and use it for the AWS Config resource.

Which of the following is required to ensure the AWS config service can work as required?

Answers

A. Ensure that there is a trust policy in place for the AWS Config service within the role.

B. Ensure that there is a grant policy in place for the AWS Config service within the role.

C. Ensure that there is a user policy in place for the AWS Config service within the role.

D. Ensure that there is a group policy in place for the AWS Config service within the role.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

Option A is CORRECT because you need to ensure that there is a trust policy in place for the AWS Config service, as shown below.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {

"Service": "config.amazonaws.com"

"Action": "sts:AssumeRole"

}

]

}

Options B is incorrect because working along with AWS Config and IAM, you need to add the IAM trust policy to the role and not the grant policy.

Options C is incorrect because working along with AWS Config and IAM, you need to add the IAM trust policy to the role and not the user policy.

Options D is incorrect because working along with AWS Config and IAM, you need to add the IAM trust policy to the role and not the group policy.

For more information on the IAM role permissions, kindly refer to the following URL:

https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html

To use an existing IAM role with AWS Config, you need to ensure that the IAM role has the required permissions to allow AWS Config to access the necessary resources in your AWS account. The IAM role is used to grant permissions to AWS Config, so it can access the resources and gather the necessary information about their configuration.

Out of the given options, the answer is A. Ensure that there is a trust policy in place for the AWS Config service within the role.

A trust policy is an IAM policy that specifies which entities (in this case, AWS Config) are allowed to assume the role. A trust policy for AWS Config would allow the AWS Config service to assume the role and perform the necessary checks on the resources in your account.

Grant policies, user policies, and group policies are not relevant in this context, as they do not control which entities are allowed to assume the role. Instead, they control the permissions granted to the IAM user or group associated with the role. These policies are used to grant permissions to the IAM user or group, whereas a trust policy is used to grant permissions to an external entity (in this case, AWS Config).

In summary, the correct answer is A. Ensure that there is a trust policy in place for the AWS Config service within the role.

Prev Question Next Question