AWS Certified Security – Specialty — Question 367

Company A has an AWS account that is named Account A. Company A recently acquired Company B, which has an AWS account that is named Account B. Company B stores its files in an Amazon S3 bucket. The administrators need to give a user from Account A full access to the S3 bucket in Account B.

After the administrators adjust the IAM permissions for the user in Account A to access the S3 bucket in Account B, the user still cannot access any files in the S3 bucket.

Which solution will resolve this issue?

Answer options

• A. In Account B, create a bucket ACL to allow the user from Account A to access the S3 bucket in Account B.
• B. In Account B, create an object ACL to allow the user from Account A to access all the objects in the S3 bucket in Account B.
• C. In Account B, create a bucket policy to allow the user from Account A to access the S3 bucket in Account B.
• D. In Account B, create a user policy to allow the user from Account A to access the S3 bucket in Account B.

Correct answer: C

Explanation

To enable cross-account access to an Amazon S3 bucket, permissions must be granted by both the source account (via an IAM policy) and the destination account (via an S3 bucket policy). Since the IAM policy in Account A has already been configured, adding a bucket policy to the S3 bucket in Account B is the correct step to complete the trust relationship. User policies in Account B cannot be applied directly to a user residing in Account A, and S3 ACLs are not the standard or recommended method for managing cross-account bucket-level access.