AWS Certified Solutions Architect – Professional — Question 978

A large industrial company has two AWS accounts. One account is for production, and one account is for development. The company manages the production account under its corporate organization in AWS Organizations. The development account is an isolated environment that developers use for testing.
The company stores all the application configuration information in an Amazon S3 bucket in the production account. All developers in the development account are members of a single IAM group. A solutions architect must ensure that the developers can update the application configuration information in real time.
What is the MOST operationally efficient solution that meets these requirements?

Answer options

• A. In the production account, modify the S3 bucket policy by adding the development account ID in the condition field. Add a permissions policy to the developers' IAM group to allow users to put objects in the production S3 bucket.
• B. In the production account, create a two-staged pipeline that uses AWS CodeDeploy and an S3 bucket that has versioning enabled. Create an IAM role in the production account that has the permission to put objects in the S3 bucket. Associate the role with the pipeline. Allow developers to push a new version in the S3 bucket.
• C. Create an IAM role in the production account. Establish a trust relationship between the production account and the development account. Specify a permissions policy in the role to allow trusted users to put objects in the S3 bucket. Grant sts:AssumeRole permissions to the developers' IAM group for the role.
• D. Create an S3 bucket in the development account. Enable S3 bucket replication between the development S3 bucket and the production S3 bucket.

Correct answer: C

Explanation

Option C is correct because establishing a cross-account IAM role with a trust relationship is the AWS-recommended best practice for secure, real-time cross-account resource access. This allows developers to temporarily assume the production role using sts:AssumeRole to write directly to the production S3 bucket. Option A is incorrect because a local IAM group policy cannot directly authorize access to external account resources without a trusted role. Option B introduces unnecessary operational complexity, and Option D's replication model adds latency and configuration overhead.