AWS Certified Security – Specialty — Question 316
A company provides an AWS account for each of its teams. Members of each team authenticate with AWS by using user accounts in their own team’s account.
The company created a project-specific AWS account for collaboration by three or more teams. The company also created a new Amazon S3 bucket inside this new account. There is no S3 bucket policy or S3 ACL. A security engineer must implement a secure solution so that all teams can read objects and write to objects that are stored in the S3 bucket.
What should the security engineer do to meet these requirements?
Answer options
- A. In the same AWS account where the S3 bucket resides, update the bucket’s ACL to include the canonical user ID of the teams’ AWS accounts. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket
- B. In the same AWS account where the S3 bucket resides, create an IAM role that has appropriate permissions for the bucket. Include a trust policy that specifies the teams’ AWS accounts as the principals. Teams will assume the role when they read objects and write to objects in the bucket
- C. In the same AWS account where the S3 bucket resides, add a bucket policy to allow all the teams to read objects and write to objects in the bucket. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket.
- D. In the same AWS account where the S3 bucket resides, create an IAM user, an IAM group, and access keys for each team. Each team will share its access keys when the team reads objects and writes to objects in the bucket.
Correct answer: B
Explanation
Creating an IAM role in the destination account and establishing a trust relationship with the source accounts (Option B) is the AWS-recommended best practice for secure cross-account access. This allows users to assume the role and obtain temporary security credentials, eliminating the risk of sharing long-term access keys as proposed in Option D. Using legacy S3 ACLs (Option A) is discouraged for modern access control, and assuming a role is more manageable and standard for multi-account collaboration than direct cross-account bucket policy permissions alone.