Q86 — AWS SCS-C02 Ch.1
Question 86 of 100 | ← Chapter 1
Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B. After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket. Which solution will resolve this issue?
- A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
- B. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.
- C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B. ✓
- D. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.
Correct Answer: C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
Explanation
AWS跨账户访问S3桶需通过资源策略授权。IAM策略仅在请求方账户生效,而S3资源策略(桶策略)必须附加到目标资源所属账户。AWS文档明确说明,跨账户访问S3时,资源方需配置桶策略,明确允许外部账户的实体访问。选项A和B的ACL仅提供有限权限且需与策略结合,无法独立解决跨账户问题。选项D的用户策略无法应用于其他账户的用户。只有选项C的桶策略能在Account B中直接授权Account A用户访问权限。答案C符合AWS跨账户访问最佳实践。