ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 598 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 598
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A media company has a static web application that is generated programmatically. The company has a build pipeline that generates HTML content that is uploaded to an Amazon S3 bucket served by Amazon CloudFront. The build pipeline runs inside a Build Account. The S3 bucket and CloudFront distribution are in a Distribution Account. The build pipeline uploads the files to Amazon S3 using an IAM role in the Build Account. The S3 bucket has a bucket policy that only allows CloudFront to read objects using an origin access identity (OAI). During testing all attempts to access the application using the CloudFront URL result in an
HTTP 403 Access Denied response.
What should a solutions architect suggest to the company to allow access the objects in Amazon S3 through CloudFront?

  • A. Modify the S3 upload process in the Build Account to add the bucket-owner-full-control ACL to the objects at upload.
  • B. Create a new cross-account IAM role in the Distribution Account with write access to the S3 bucket. Modify the build pipeline to assume this role to upload the files to the Distribution Account.
  • C. Modify the S3 upload process in the Build Account to set the object owner to the Distribution Account.
  • D. Create a new IAM role in the Distribution Account with read access to the S3 bucket. Configure CloudFront to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Build Account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Nemer at Aug. 12, 2020, 3:14 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nemer
Highly Voted 3 years, 7 months ago
A. https://aws.amazon.com/tw/premiumsupport/knowledge-center/s3-bucket-owner-access/
upvoted 23 times
viet1991
3 years, 6 months ago
A is right. By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access. aws s3 cp BuildAccountFile s3://DistributionAccountS3/ --acl bucket-owner-full-control
upvoted 5 times
...
Byrney
2 years, 6 months ago
B: This exact scenario is detailed here: https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-artifacts-s3/ The cross account role sets the owner as the distribution account.
upvoted 2 times
...
...
darthvoodoo
Highly Voted 3 years, 7 months ago
The answer is definitely A...this is one of the questions that always pops up in the security specialty exam https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/ If B was the issue, you would have been getting a 404 error instead.
upvoted 11 times
petebear55
3 years, 7 months ago
WELL DONE
upvoted 1 times
tekkart
3 years, 6 months ago
At first I thought it was B, then I changed my mind to A. It is not the Pipeline in Build Account which cannot access the object (answer B). It is CloudFront, together with S3 bucket in Distribution Account, activated by OAI, which cannot access the object. Because, by giving cross-account permission, it lost its bucket full control : https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-8 I go with A
upvoted 1 times
...
...
01037
3 years, 7 months ago
Good point
upvoted 1 times
...
oscargee
3 years, 6 months ago
It's not A because it means S3 bucket owner asks permission of object. In this case, S3 belongs to CloudFront but accessor is app. So app won't have same permission as Cloud Front. You have to chose B.
upvoted 1 times
...
...
dev112233xx
Most Recent 2 years ago
Selected Answer: A
A is the correct answer. B is almost correct, cross account can solve the ACL issue but only when adding this condition in the role: "s3:x-amz-acl": "bucket-owner-full-control" https://repost.aws/knowledge-center/s3-bucket-owner-full-control-acl
upvoted 1 times
...
[Removed]
2 years, 2 months ago
Selected Answer: B
If the bucket policy grants public read access, confirm that AWS account that owns the bucket also owns the object For a bucket policy to allow public read access to objects, the AWS account that owns the bucket must also own the objects. For existing Amazon S3 buckets with the default object ownership settings, the object owner is the AWS account of the AWS Identity and Access Management (IAM) identity which uploaded the object to the bucket.
upvoted 1 times
[Removed]
2 years, 2 months ago
Selected B by mistake, i meant to vote A
upvoted 1 times
...
...
Dionenonly
2 years, 7 months ago
Selected Answer: A
Answer is A. No brainer
upvoted 1 times
...
CloudHell
2 years, 11 months ago
My initial instinct was B, but after reading the comments A sounds like a better choice.
upvoted 1 times
...
johnnsmith
3 years, 2 months ago
B is correct. There are three possible Object Ownership settings: (1)Bucket owner enforced: bucket owner always owns the object. That is not the case we have here. (2) Bucket owner preferred. If an object upload includes the bucket-owner-full-control canned ACL, the bucket owner owns the object. Objects uploaded with other ACLs are owned by the writing account. Answer A would only work with this setting. But we don't if the bucket used this setting. (3) Object writer: Object writer owns the object. Answer B works regardless of the Object Ownership setting of the bucket. Details at https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
upvoted 2 times
...
cldy
3 years, 5 months ago
A. Modify the S3 upload process in the Build Account to add the bucket-owner-full-control ACL to the objects at upload.
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
A is fine
upvoted 1 times
...
student22
3 years, 6 months ago
A https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/
upvoted 2 times
...
blackgamer
3 years, 6 months ago
It definitely is A. This document explains it - https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#object-ownership-replication
upvoted 1 times
...
WhyIronMan
3 years, 6 months ago
I'll go with A
upvoted 1 times
...
SJain50
3 years, 6 months ago
B https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-artifacts-s3/
upvoted 2 times
...
Waiweng
3 years, 6 months ago
it's A
upvoted 1 times
...
kiev
3 years, 6 months ago
Neal Davis went for B. I am going for my exam next week. I am lost now. I know both both A and B works
upvoted 4 times
...
ele
3 years, 6 months ago
A is correct. By assuming cross-account role, the pipeline would give up any permissions in Build account, that it might need to complete build actions. So it must keep with its own role and the answer is A.
upvoted 3 times
...
Kian1
3 years, 6 months ago
going with A
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago