Logo
AWS Certified Solutions Architect - Professional / Question #714 of 529

Question #714

A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company's finance team hosts a data lake application using Amazon S3. The marketing team requires access to specific prefixes within the S3 bucket, which contains sensitive financial records. The finance team and marketing team operate in separate AWS accounts.

What should a solutions architect do to grant the marketing team access to only the required S3 prefixes while maintaining security?

A

Create an SCP to allow the marketing team's AWS account access to the specified S3 prefixes. Attach the SCP to the OU containing the finance team's account.
B

Create an IAM role in the finance team's account with an IAM policy restricting access to the specific S3 prefixes. Establish a trust relationship with the marketing team's account. In the marketing team's account, create an IAM role permitting assumption of the finance team's IAM role.
C

Apply a bucket policy on the S3 bucket with conditions limiting access to the specific prefixes. In the marketing team's account, create an IAM role with permissions to access the S3 bucket in the finance team's account.
D

Create an IAM role in the finance team's account with full S3 access. Use a permissions boundary to restrict access to the required prefixes. In the marketing team's account, create an IAM role allowing assumption of the finance team's role.

Explanation

Option B is correct because it uses cross-account IAM roles to grant access securely. The finance team creates an IAM role in their account with a policy allowing access only to the required S3 prefixes. By establishing a trust relationship with the marketing team's account, users/roles in the marketing account can assume this role. This ensures the marketing team accesses only the permitted prefixes.

Other options are incorrect because:
- A: SCPs are used to restrict permissions across accounts in an OU, not grant cross-account access to specific resources.
- C: While bucket policies can grant cross-account access, managing permissions via a role in the finance account (as in B) is more secure and centralized.
- D: Using a permissions boundary adds unnecessary complexity; directly defining permissions in the role's policy is safer.

Key Points:
1. Cross-account access is best handled via IAM roles with trust relationships.
2. Resource policies (e.g., S3 bucket policies) can grant access but are less centralized.
3. SCPs are for organizational guardrails, not resource-level access control.

Answer

The correct answer is: B