AWS Certified SysOps Administrator – Associate (legacy) — Question 750

A SysOps Administrator is writing an AWS Lambda function in AWS Account A to put objects in an Amazon S3 bucket in AWS Account B. The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A.
Which step will fix this issue?

Answer options

• A. Add s3:DeleteObject permission to the IAM execution role of the AWS Lambda function in Account A.
• B. Change the bucket policy of the S3 bucket in Account B to allow s3:DeleteObject permission for Account A.
• C. Disable server-side encryption for objects written to the S3 bucket by the Lambda function.
• D. Modify the Lambda function to call the S3:PutObjectAcl API operation to specify bucket owner, full control.

Correct answer: D

Explanation

By default, objects uploaded to an S3 bucket by an external account remain owned by the uploading account, preventing the bucket owner's IAM users from managing or deleting them. Modifying the Lambda function to apply the bucket-owner-full-control canned ACL using the S3:PutObjectAcl API operation transfers full control of the objects to the bucket owner (Account B). Modifying S3 bucket policies or execution roles in Account A does not resolve this object ownership mismatch.