Question #1653
A manufacturing company stores 15 TB of sensor data daily in an Amazon S3 bucket within a central data account. The company has three internal departments (Quality, Maintenance, and Production) that require read-only access to this data for analysis. The company needs to share the data securely while minimizing administrative overhead and avoiding public exposure. Which solution best meets these requirements?
Use S3 Cross-Region Replication to copy the data to separate buckets in each department's account.
Generate pre-signed URLs for the S3 bucket and distribute them to department heads temporarily.
Configure S3 bucket policies to grant cross-account read access to the respective department accounts.
Create IAM roles in the central data account for each department and share credentials with their teams.
Explanation
Option C is correct because S3 bucket policies enable cross-account read access without replicating data (unlike Option A) or exposing data publicly via pre-signed URLs (Option B). By defining bucket policies, the central account grants permissions directly to the department accounts, ensuring secure, read-only access. Option D is insecure due to credential sharing, violating AWS best practices. Key points: S3 cross-account access via bucket policies minimizes overhead, avoids data duplication, and maintains security without public exposure.
Answer
The correct answer is: C