AWS Certified Solutions Architect – Professional — Question 676

A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company's marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects.
A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key
Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Access Denied error.
The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need.
Which combination of steps should the solutions architect take to meet these requirements? (Choose three.)

Answer options

Correct answer: A, C, F

Explanation

To enable cross-account read access to an S3 bucket encrypted with a custom KMS key, permissions must be established on the S3 bucket policy, the KMS key policy, and the IAM role. The S3 bucket policy in the Creative account must allow access to the Strategy account ID (Option A), and the strategy_reviewer IAM role in the Strategy account must have identity-based permissions to read from the bucket and decrypt via the KMS key (Option F). Finally, because the KMS key is in the Creative account, its key policy must explicitly delegate decrypt permissions to the cross-account strategy_reviewer IAM role (Option C).