Question #1022
A company’s AWS accounts are part of an AWS Organizations organization. An ECS task running in Account A requires environment variables stored in AWS Systems Manager Parameter Store. A new ECS task in Account B must use the same parameters without duplication. Which solution provides access with the LEAST operational overhead?
Create an IAM user in Account A with parameter access and configure the Account B task to use these credentials.
Use AWS Resource Access Manager (RAM) to share the parameters directly between Account A and Account B.
Develop a script to copy parameters to an S3 bucket shared between both accounts and access them from there.
Establish an IAM role in Account A granting parameter access, allowing the Account B task to assume this role.
Explanation
Answer D is correct because:
1. Cross-Account IAM Roles: IAM roles allow secure cross-account access without sharing credentials (unlike Option A, which requires managing IAM user credentials).
2. No Duplication: Parameters remain in Account A, avoiding the need to copy them (unlike Option C, which adds scripting/S3 overhead).
3. AWS Organizations Integration: Since accounts are part of AWS Organizations, trust policies can be simplified, reducing configuration effort.
4. Resource Sharing: Systems Manager Parameter Store parameters cannot be shared via AWS RAM (Option B is invalid).
Other options are incorrect because:
- A: Managing IAM user credentials increases operational risk and overhead.
- B: AWS RAM does not support sharing Parameter Store parameters.
- C: Scripting adds maintenance complexity and delays parameter updates.
Key Points:
- Use IAM roles for secure, low-overhead cross-account access.
- Parameter Store parameters are shared via resource policies or cross-account roles, not AWS RAM.
- AWS Organizations simplifies cross-account trust policies.
Answer
The correct answer is: D