Question #1080
A developer has an application that uses AWS Security Token Service (AWS STS). The application calls the STS AssumeRole API operation to provide temporary security credentials to trusted users. The application calls AWS STS at the service's default global endpoint:
https://sts.amazonaws.com.
The application is deployed in the Europe (Frankfurt) AWS Region. The application is experiencing intermittent latency errors when calling AWS STS.
What should the developer do to resolve this issue?
Update the application to use the GetCallerIdentity API operation.
Update the application to use the AssumeRoleWithWebIdentity API operation.
Update the application to use a Regional STS endpoint in the Europe (Frankfurt) Region.
Update the application to use the AssumeRoleWithSAML API operation. Configure the STS endpoint to use a global endpoint.
Explanation
The correct answer is C. AWS recommends using Regional STS endpoints (e.g., sts.eu-central-1.amazonaws.com) instead of the default global endpoint (sts.amazonaws.com) to reduce latency and avoid intermittent errors caused by cross-region requests. Since the application is deployed in the Europe (Frankfurt) Region, using the Regional endpoint ensures STS API calls are served within the same Region, minimizing network latency.
Why other options are incorrect:
- A: GetCallerIdentity retrieves caller identity but does not address the latency issue with AssumeRole.
- B: AssumeRoleWithWebIdentity is for web identity federation (e.g., login with Amazon, Google), not for resolving latency issues.
- D: AssumeRoleWithSAML is for SAML-based federation, and using a global endpoint would not resolve latency.
Key Takeaway: Always use Regional STS endpoints for applications to ensure low-latency and reliable STS API calls.
Answer
The correct answer is: C