AWS Certified Solutions Architect – Associate (SAA-C03) — Question 409

A solutions architect needs to allow team members to access Amazon S3 buckets in two different AWS accounts: a development account and a production account. The team currently has access to S3 buckets in the development account by using unique IAM users that are assigned to an IAM group that has appropriate permissions in the account.

The solutions architect has created an IAM role in the production account. The role has a policy that grants access to an S3 bucket in the production account.

Which solution will meet these requirements while complying with the principle of least privilege?

Answer options

• A. Attach the Administrator Access policy to the development account users.
• B. Add the development account as a principal in the trust policy of the role in the production account.
• C. Turn off the S3 Block Public Access feature on the S3 bucket in the production account.
• D. Create a user in the production account with unique credentials for each team member.

Correct answer: B

Explanation

To enable cross-account access securely, the production IAM role's trust policy must trust the development account, allowing the development IAM users to assume the role and access the production S3 bucket. Granting Administrator Access or turning off S3 Block Public Access violates the principle of least privilege by introducing unnecessary security vulnerabilities. Creating duplicate IAM users in the production account is inefficient and increases administrative overhead compared to utilizing existing development IAM credentials.