Question #896
A company stores all personally identifiable information (PII) in an Amazon S3 bucket named PII-Bucket in Account X. Developers are working on an application running on Amazon EC2 instances in Account Y. The application requires access to the PII-Bucket.
An administrator in Account X creates an IAM role named S3AccessRole with permissions to access the PII-Bucket. The role's trust policy specifies Account Y as a principal that can assume the role.
Which combination of steps should the developers take in Account Y to allow their application to access the PII-Bucket? (Choose two.)
Grant the EC2 instance's IAM role permission to assume the S3AccessRole.
Include the GetSessionToken API call in the application code to obtain temporary credentials.
Modify the EC2 instance's IAM role to have direct access to the PII-Bucket.
Include the AssumeRole API call in the application code to obtain temporary credentials.
Configure the application to use the EC2 instance's existing IAM role credentials directly.
Explanation
To enable cross-account access, Account Y's EC2 instance role needs permission to assume the S3AccessRole (A), which is allowed by the trust policy in Account X. The application must then call AssumeRole (D) to retrieve temporary credentials for accessing the S3 bucket.
Why other options are incorrect:
- B: GetSessionToken is for same-account temporary credentials, not cross-role assumption.
- C: Directly modifying the EC2 role to access the bucket would bypass the cross-account role setup and is not scalable or secure.
- E: Using the EC2 role's credentials directly would fail unless the S3 bucket policy explicitly allows it, which is not the case here.
Key Points:
1. Cross-account access requires role assumption via AssumeRole.
2. The assuming role must have permissions to perform AssumeRole on the target role.
3. Temporary credentials from AssumeRole grant access to the target resource.
Answer
The correct answer is: AD