AWS Certified SysOps Administrator – Associate (legacy) — Question 900

A company must share monthly report files that are uploaded to Amazon S3 with a third party. The third-party user list is dynamic, is distributed, and changes frequently. The least amount of access must be granted to the third party. Administrative overhead must be low for the internal teams who manage the process.
How can this be accomplished while providing the LEAST amount of access to the third party?

Answer options

• A. Allow only specified IP addresses to access the S3 buckets which will host files that need to be provided to the third party.
• B. Create an IAM role with the appropriate access to the S3 bucket, and grant login permissions to the console for the third party to access the S3 bucket.
• C. Create a pre-signed URL that can be distributed by email to the third party, allowing it to download specific S3 filed.
• D. Have the third party sign up for an AWS account, and grant it cross-account access to the appropriate S3 bucket in the source account.

Correct answer: A

Explanation

Restricting access to the S3 bucket by specifying allowed IP addresses in a bucket policy minimizes administrative overhead because the internal team does not need to manage individual credentials for a constantly changing user list. Options involving console access (Option B) or cross-account access (Option D) require significant administrative setup and management. Generating and emailing pre-signed URLs (Option C) introduces security risks and overhead in distributing them to a dynamic and distributed group of users.