A security analyst needs to let an external vendor (AWS account 555566667777) read data from a set of internal resources in your AWS account. You created an IAM role called VendorReadRole with a policy that allows the required API calls. However, when the vendor tries to access, CloudTrail shows the call fails at AssumeRole with: "Not authorized to perform: sts:AssumeRole". What is the most appropriate fix?
AssumeRole is blocked unless the role trust policy allows the vendor principal. The role’s permissions policy alone cannot permit assumption.
Why this answer
The error 'Not authorized to perform: sts:AssumeRole' indicates that the role's trust policy does not grant the external AWS account (555566667777) permission to assume the role. The trust policy must include an Allow statement with the sts:AssumeRole action, specifying the external account as the principal, and optionally an ExternalId condition to prevent the confused deputy problem. Without this trust policy configuration, even if the permissions policy allows the required API calls, the vendor cannot assume the role.
Exam trap
The trap here is that candidates often confuse the role's permissions policy (which defines what actions the role can perform) with the trust policy (which defines who can assume the role), leading them to incorrectly modify the permissions policy or the vendor's IAM user instead of the trust policy.
How to eliminate wrong answers
Option B is wrong because attaching the allow policy to the vendor account's IAM user does not grant the user permission to call sts:AssumeRole; the trust policy on the role must explicitly allow the external account (or the user) to assume the role, and the policy attached to the user only controls what the user can do after assuming the role, not the assumption itself. Option C is wrong because GetCallerIdentity only returns details about the caller's identity and does not grant any permissions to read data; it cannot substitute for assuming a role to access resources. Option D is wrong because enabling MFA on the vendor's IAM user and requiring MFA in the role's permissions policy does not address the missing trust policy; the role's trust policy must first allow the vendor to assume the role, and MFA conditions are additional constraints, not a fix for the fundamental authorization failure.