AWS Certified Data Engineer – Associate (DEA-C01) — Question 143

A company uses Amazon S3 to store data and Amazon QuickSight to create visualizations,

The company has an S3 bucket in an AWS account named Hub-Account. The S3 bucket is encrypted by an AWS Key Management Service (AWS KMS) key. The company's QuickSight instance is in a separate account named BI-Account.

The company updates the S3 bucket policy to grant access to the QuickSight service role. The company wants to enable cross-account access to allow QuickSight to interact with the S3 bucket.

Which combination of steps will meet this requirement? (Choose two.)

Answer options

• A. Use the existing AWS KMS key to encrypt connections from QuickSight to the S3 bucket.
• B. Add the S3 bucket as a resource that the QuickSight service role can access.
• C. Use AWS Resource Access Manager (AWS RAM) to share the S3 bucket with the BI-Account account.
• D. Add an IAM policy to the QuickSight service role to give QuickSight access to the KMS key that encrypts the S3 bucket.
• E. Add the KMS key as a resource that the QuickSight service role can access.

Correct answer: E

Explanation

The correct answer is E, as QuickSight needs access to the KMS key to decrypt the S3 bucket data. Option A is incorrect because encryption of connections does not grant access to the S3 bucket. Option B does not address the KMS key requirement, while option C is not applicable since sharing the S3 bucket via AWS RAM is not necessary for QuickSight's access. Option D, while it provides necessary permissions, does not include the crucial step of allowing access to the KMS key directly.