AWS Certified SysOps Administrator – Associate — Question 338

A SysOps administrator is responsible for a company's disaster recovery procedures. The company has a source Amazon S3 bucket in a production account, and it wants to replicate objects from the source to a destination S3 bucket in a nonproduction account. The SysOps administrator configures S3 cross-Region, cross-account replication to copy the source S3 bucket to the destination S3 bucket. When the SysOps administrator attempts to access objects in the destination S3 bucket, they receive an Access Denied error.

Which solution will resolve this problem?

Answer options

• A. Modify the replication configuration to change object ownership to the destination S3 bucket owner.
• B. Ensure that the replication rule applies to all objects in the source S3 bucket and is not scoped to a single prefix.
• C. Retry the request when the S3 Replication Time Control (S3 RTC) has elapsed.
• D. Verify that the storage class for the replicated objects did not change between the source S3 bucket and the destination S3 bucket.

Correct answer: A

Explanation

In cross-account Amazon S3 replication, the source account still owns the replicated objects by default, which prevents the destination account from accessing them. To resolve the Access Denied error, the replication configuration must be updated to change the object ownership to the destination bucket owner (using the replica owner override option). Other options, such as adjusting prefix scope, waiting for S3 RTC, or matching storage classes, do not address the cross-account ownership and permissions discrepancy.