AWS Certified Database – Specialty — Question 68

Developers have requested a new Amazon Redshift cluster so they can load new third-party marketing data. The new cluster is ready and the user credentials are given to the developers. The developers indicate that their copy jobs fail with the following error message:
`Amazon Invalid operation: S3ServiceException:Access Denied,Status 403,Error AccessDenied.`
The developers need to load this data soon, so a database specialist must act quickly to solve this issue.
What is the MOST secure solution?

Answer options

• A. Create a new IAM role with the same user name as the Amazon Redshift developer user ID. Provide the IAM role with read-only access to Amazon S3 with the assume role action.
• B. Create a new IAM role with read-only access to the Amazon S3 bucket and include the assume role action. Modify the Amazon Redshift cluster to add the IAM role.
• C. Create a new IAM role with read-only access to the Amazon S3 bucket with the assume role action. Add this role to the developer IAM user ID used for the copy job that ended with an error message.
• D. Create a new IAM user with access keys and a new role with read-only access to the Amazon S3 bucket. Add this role to the Amazon Redshift cluster. Change the copy job to use the access keys created.

Correct answer: B

Explanation

The correct answer is B because it involves creating an IAM role specifically with read-only access to the S3 bucket, which is essential for the developers to load their data, and it updates the Amazon Redshift cluster to use this role securely. Option A is incorrect as it uses the same name as the user ID, which doesn't address the access issue properly. Option C incorrectly adds the role to the developer's IAM user instead of the Redshift cluster, and option D introduces unnecessary complexity by creating a new IAM user and access keys.