Question #630
A company is running applications on AWS in a multi-account setup under AWS Organizations. The development team and analytics team operate in separate AWS accounts. The development team stores terabytes of sensitive data in an Amazon S3 bucket encrypted with an AWS KMS key. The analytics team uses Amazon Redshift for data processing and requires access to the development team's S3 bucket. The analytics team has already configured an IAM role for Amazon Redshift in their account. The company needs a secure cross-account solution with minimal operational overhead.
Create a new S3 bucket in the analytics account. Configure S3 replication rules in the development account to copy data to the analytics account's bucket. Update the Redshift permissions in the analytics account to access the replicated bucket.
Use an SCP to grant the analytics account access to the S3 bucket. Share the KMS key via AWS Resource Access Manager (AWS RAM) from the development account to the analytics account. Modify the Redshift IAM role to include permissions for the S3 bucket.
Update the S3 bucket policy in the development account to grant the Redshift role access. Create a KMS grant for the encryption key to allow the Redshift role to decrypt data. Adjust the Redshift permissions to include the S3 bucket.
Create an IAM role in the development account with access to the S3 bucket and KMS key. Configure the Redshift role in the analytics account to assume the development account's IAM role. Update the KMS key policy to allow the Redshift role to use the key.
Explanation
Option D is correct because it uses cross-account IAM role assumption, which is a secure and efficient method for granting access across AWS accounts. By creating an IAM role in the development account with permissions to access the S3 bucket and KMS key, and configuring the Redshift role in the analytics account to assume this role, the solution avoids complex replication (Option A), incorrect use of SCPs (Option B), and direct modifications to the KMS key policy (Option C). This approach minimizes operational overhead by leveraging existing IAM roles and trust policies, while ensuring the KMS key policy remains focused on the development account's resources. Key points: Cross-account role assumption simplifies permissions, KMS key policies should avoid unnecessary cross-account principals, and IAM roles are the preferred method for secure access delegation.
Answer
The correct answer is: D