Q7 — AWS SAP-C02 Ch.3
Question 7 of 75 | ← Chapter 3
Q232. A company is running applications on AWS in a multi-account environment. The company's sales team and marketing team use separate AWS accounts in AWS Organizations. The sales team stores petabytes of data in an Amazon S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The marketing team needs access to data that the sales team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key. The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts.Which solution will meet these requirements with the LEAST operational overhead?
- A. Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales account to copy the objects to the new S3 bucket in the marketing account. Update the QuickSight permissions in the marketing account to grant access to the new S3 bucket
- B. Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS Resource Access Manager (AWS RAM) to share the KMS key from the sales account with the marketing account. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket
- C. Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role.Update the QuickSicht permissions in the marketing account to grant access to the S3 bucket
- D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight role to create a trust relationship with the new IAM role in the sales account ✓
Correct Answer: D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight role to create a trust relationship with the new IAM role in the sales account
Explanation
The correct answer is:D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight role, to create a trust relationship with the new IAM role in the sales account.Option D provides a solution with the least operational overhead to provide secure access to the data in the S3 bucket across AWS accounts in a multi-account environment.By creating an IAM role in the sales account and granting access to the S3 bucket, you can control and manage the permissions for the marketing team to access the data. This approach allows for granular access control and central management of permissions.From the marketing account, using AWS Identity and Access Management (IAM), you can assume the IAM role created in the sales account. This allows the marketing team to access the S3 bucket as if they were directly accessing it from their own account, without the need to replicate or transfer the data.Updating the QuickSight role to create a trust relationship with the new IAM role in the sales account ensures that QuickSight has the necessary permissions to access the data in the S3 bucket.This solution provides a straightforward and secure way for the marketing team to access the data stored in the S3 bucket without additional data replication or sharing of encryption keys. It also offers centralized access control and reduces operational overhead.Overall, by leveraging IAM roles and trust relationships, this solution provides secure access to the data in the S3 bucket across AWS accounts with minimal ongoing operational overhead in a multi-account environment.正确答案是:D.在sales账户中创建IAM角色,并授予S3桶的访问权限。从营销帐户中,假设销售帐户中的IAM角色访问S3桶。更新QuickSight角色,与销售帐户中的新IAM角色建立信任关系。选项D提供了一种操作开销最小的解决方案,可以在多帐户环境中跨AWS帐户提供对S3桶中的数据的安全访问。通过在销售帐户中创建IAM角色并授予对S3桶的访问权限,您可以控制和管理营销团队访问数据的权限。这种方法允许粒度访问控制和集中管理权限。从营销帐户,使用AWS身份和访问管理(IAM),您可以承担在销售帐户中创建的IAM角色。这允许营销团队访问S3存储桶,就像他们直接从自己的帐户访问它一样,而不需要复制或传输数据。更新QuickSight角色以与销售帐户中的新IAM角色建立信任关系,确保QuickSight具有访问S3桶中的数据所需的权限。该解决方案为营销团队提供了一种简单而安全的方式来访问存储在S3 bucket中的数据,而无需额外的数据复制或共享加密密钥。它还提供集中访问控制并减少操作开销。总体而言,通过利用IAM角色和信任关系,该解决方案提供了跨AWS帐户对S3桶中的数据的安全访问,并在多帐户环境中以最小的持续运营开销进行操作。