AWS Certified Developer – Associate — Question 370

A developer is deploying on application on Amazon EC2 instances that run in Account A. In certain cases, this application needs to read data from a private
Amazon S3 bucket in Account B. The developer must provide the application access to the S3 bucket without exposing the S3 bucket to anyone else.
Which combination of actions should the developer take to meet these requirements? (Choose two.)

Answer options

• A. Create an IAM role with S3 read permissions in Account B.
• B. Update the instance profile IAM role in Account A with S3 read permissions.
• C. Make the S3 bucket public with limited access for Account A.
• D. Configure the bucket policy in Account B to grant permissions to the instance profile role.
• E. Add a trust policy that allows s3:Get* permissions to the IAM rote in Account B.

Correct answer: B, D

Explanation

To enable secure cross-account S3 access, the EC2 instance profile's IAM role in Account A must be granted permission to perform read operations on the S3 bucket in Account B. Additionally, the bucket policy in Account B must explicitly permit access to that specific IAM role from Account A. Making the bucket public is a security risk, and creating or modifying roles in Account B with trust policies is not required for direct bucket policy-based delegation.