AWS Certified Solutions Architect – Professional — Question 754

A company is running a web application on Amazon EC2 instances in a production AWS account. The company requires all logs generated from the web application to be copied to a central AWS account for analysis and archiving. The company's AWS accounts are currently managed independently. Logging agents are configured on the EC2 instances to upload the log files to an Amazon S3 bucket in the central AWS account.

A solutions architect needs to provide access for a solution that will allow the production account to store log files in the central account. The central account also needs to have read access to the log files.

What should the solutions architect do to meet these requirements?

Answer options

• A. Create a cross-account role in the central account. Assume the role from the production account when the logs are being copied.
• B. Create a policy on the S3 bucket with the production account ID as the principal. Allow S3 access from a delegated user.
• C. Create a policy on the S3 bucket with access from only the CIDR range of the EC2 instances in the production account. Use the production account ID as the principal.
• D. Create a cross-account role in the production account. Assume the role from the production account when the logs are being copied.

Correct answer: A

Explanation

Assuming a cross-account role in the destination (central) account ensures that any objects uploaded to the S3 bucket are owned by the central account, granting it immediate read access. If the production account uploaded files directly using its own identity, the central account would not own the objects by default and would lack read access. Creating the role in the production account (Option D) or relying solely on bucket policies (Options B and C) does not resolve this object ownership issue.