Q69 — AWS SAA-C03 Ch.4

Question 69 of 105 | ← Chapter 4

Q264. A solutions architect needs to allow team members to access Amazon S3 buckets in two different AWS accounts: a development account and a production account. The team currently has access to S3 buckets in the development account by using unique IAM users that are assigned to an IAM group that has appropriate permissions in the account.The solutions architect has created an IAM role in the production account. The role has a policy that grants access to an S3 bucket in the production account.Which solution will meet these requirements while complying with the principle of least privilege?

Correct Answer: B. Add the development account as a principal in the trust policy of the role in the production account

Explanation

To allow team members to access Amazon S3 buckets in two different AWS accounts, a solutions architect should add the development account as a principal in the trust policy of the role in the production account. Therefore, option B is the correct answer. Option A suggests attaching the AdministratorAccess policy to the development account users. While this approach can work, it does not follow the principle of least privilege and may provide more permissions than necessary. Option C suggests turning off the S3 Block Public Access feature on the S3 bucket in the production account. While this approach can work for providing access to the S3 bucket, it does not address how team members can authenticate with the account and access other resources. Option D suggests creating a user in the production account with unique credentials for each team member. While this approach can work, it may be difficult to manage and revoke access for individual users, especially if team members change roles or leave the company. By adding the development account as a principal in the trust policy of the role in the production account, the solutions architect can allow team members in the development account to assume the role and access the S3 bucket in the production account without sharing any secrets across accounts. The trust policy can be scoped down to specific IAM users or groups in the development account, providing fine-grained control over who can assume the role. This solution meets the requirements stated in the question while complying with the principle of least privilege.