Q1 — AWS SAP-C02 Ch.1

Question 1 of 75 | ← Chapter 1

Q76. A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company's marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Access Denied error. The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need. Which combination of steps should the solutions architect take to meet these requirements? (Select THREE.)

Correct Answer: A. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account., C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role, F. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.

Explanation

To ensure that users in the Strategy account can access the S3 bucket with the minimum required permissions, the following steps should be taken: A. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account. C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role. F. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key. Explanation: A. By creating a bucket policy that includes read permissions for the S3 bucket and setting the principal to the account ID of the Strategy account, access to the S3 bucket is granted to users in the Strategy account. C. Updating the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role allows the role to decrypt objects in the S3 bucket that are encrypted with the associated KMS key. F. Updating the strategy_reviewer IAM role to grant read permissions for the S3 bucket and decrypt permissions for the custom KMS key ensures that users assuming this role have the necessary permissions to access the S3 bucket and decrypt the objects. These three steps together provide the necessary permissions and access control for users in the Strategy account to access the S3 bucket securely with the minimum required permissions. Option B is incorrect because granting full permissions for the S3 bucket and decrypt permissions for the custom KMS key would provide excessive privileges to the strategy_reviewer IAM role, which goes against the principle of least privilege. Option D is incorrect because setting the principal of the bucket policy to an anonymous user would allow public access to the S3 bucket, which is not desired in this scenario. Option E is incorrect because granting encrypt permissions to the strategy_reviewer IAM role in the custom KMS key policy is unnecessary for the given requirement of accessing and decrypting objects in the S3 bucket. Therefore, the correct combination of steps to meet the requirements is A, C, and F.