Logo
AWS Certified Solutions Architect - Professional / Question #632 of 529

Question #632

A financial company's analytics team generates reports that need to be uploaded to an Amazon S3 bucket in the company's production account. The analytics team operates in a separate development account. The company requires that the team can only access the specific S3 bucket in the production account and must not have access to any other resources.

Which combination of steps should a solutions architect take to meet these requirements? (Choose three.)

A

In the production account, create an IAM policy that grants read and write access to the S3 bucket.
B

In the development account, create an IAM policy that grants read and write access to the S3 bucket.
C

In the production account, create an IAM role. Attach the policy to the role and specify the development account as a trusted entity.
D

In the development account, create an IAM role. Attach the policy to the role and specify the production account as a trusted entity.
E

In the development account, create an IAM group for the analytics team members. Attach a policy that allows the sts:AssumeRole action on the role in the production account.
F

In the development account, create an IAM group for the analytics team members. Attach a policy that allows the sts:AssumeRole action on the role in the development account.

Explanation

To enable cross-account access to a specific S3 bucket:
1. A: The production account creates an IAM policy granting read/write access to the S3 bucket. This ensures the bucket is accessible.
2. C: The production account creates an IAM role with a trust policy allowing the development account to assume it. This establishes trust between accounts.
3. E: The development account grants its users permission to assume the role via sts:AssumeRole, enabling them to access the S3 bucket.

Why others are incorrect:
- B: Policies in the development account cannot directly grant access to resources in another account.
- D: Roles must be created in the account owning the resource (production), not the development account.
- F: Assuming a role in the same account (development) does not grant cross-account access.

Key Points:
- Use IAM roles for cross-account access.
- Trust policies define which accounts/users can assume roles.
- Users need sts:AssumeRole permissions to switch roles.

Answer

The correct answer is: ACE