Q27 — AWS SAP-C02 Ch.1

Question 27 of 75 | ← Chapter 1

Q102. A publishing company's design team updates the icons and other static assets that an ecommerce web application uses. The company serves the icons and assets from an Amazon S3 bucket that is hosted in the company's production account. The company also uses a development account that members of the design team can accessAfter the design team tests the static assets in the development account, the design team needs to load the assets into the S3 bucket in the production account. A solutions architect must provide the design team with access to the production account without exposing other parts of the web application to the risk of unwanted changesWhich combination of steps will meet these requirements? (Select THREE.)

Correct Answer: A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket, C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity, E. In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account

Explanation

To provide the design team with access to the production account without exposing other parts of the web application to the risk of unwanted changes and enable them to load assets into the S3 bucket, the following combination of steps should be taken: A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket.C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity.E. In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account. Explanation: A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket: By creating a new IAM policy, you can define the necessary permissions to allow the design team to read and write to the S3 bucket in the production account. C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity: Create a role in the production account and attach the newly created IAM policy to it. Then, define the development account as a trusted entity, which means that the development account will be allowed to assume this role. E. In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account: In the development account, create a group that includes all the IAM users of the design team. Attach a different IAM policy to this group, granting the sts:AssumeRole action on the role created in the production account. This will allow the design team members to assume the role in the production account and access the S3 bucket. Option B is incorrect because it suggests creating a new IAM policy in the development account. However, the assets need to be loaded into the S3 bucket in the production account, so the policy should be created in the production account. Option D and F are incorrect because they suggest creating a role and attaching the policy in the development account. However, the role and policy should be created in the production account to allow access to the production S3 bucket. Therefore, the correct combination of steps is A, C, and E: Create a new IAM policy in the production account, create a role in the production account and attach the policy to it, and create a group in the development account with an IAM policy allowing the sts:AssumeRole action on the role in the production account.