A company has multiple AWS accounts for various departments. One of the departments wants to share an Amazon S3 bucket with all other department. Which solution will require the LEAST amount of effort?
A.
Enable cross-account S3 replication for the bucket.
B.
Create a pre-signed URL for the bucket and share it with other departments.
C.
Set the S3 bucket policy to allow cross-account access to other departments.
D.
Create IAM users for each of the departments and configure a read-only IAM policy.
Since this is an use case on Cross AWS Account Access, pls correct me if wrong that I think the requester AWS Account (of each dept) just by creating their IAM Users is not enough, it probably also need the provider AWS Account to create an IAM Role which grants access to its owned S3 bucket and together with a Trust Relationship Policy which grants to perform AssumeRole by the requester AWS Account(s). This is simply too much ops overhead.
Ans - C Presigned URL is shortlived (7 days) the requirement doesn't mention anything on duration, Also presigned URL is at object level so you've to create multiple URLs for multiple objects which can be more work. Bucket policy will cover the above with least time and effort
C for me
A = You're not trying to replicate the bucket, but share it. So incorrect.
B = Could work, but you're then coordinating the sharing with all other departments. This could be 2 departments or 100 departments, you don't know.
C = Easiest because you're modifying the policy on the resource trying to be shared, it's a single action that you need to modify. Least effort.
D = Could work just as B could, but you're conducting massive effort depending on the amount of departments.
Presigned URL will expired after 7 days.
IAM and ACL policies are only for programmatic access only. Hence B Cross account.
Resource-based policies and AWS Identity and Access Management (IAM) policies for programmatic-only access to S3 bucket objects
Resource-based Access Control List (ACL) and IAM policies for programmatic-only access to S3 bucket objects
Cross-account IAM roles for programmatic and console access to S3 bucket objects
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mikmik
Highly Voted 3 years, 8 months agoKuruvi
3 years, 8 months agomanoj101
Highly Voted 3 years, 8 months agojkklim
3 years, 8 months agoosel
3 years, 4 months agoCurious76
Most Recent 2 years, 9 months agoCurious76
2 years, 9 months agoexamJack
3 years, 2 months agowoke
3 years, 7 months agoMaddy_aws2020
3 years, 7 months agosyu31svc
3 years, 7 months agoKK_uniq
3 years, 7 months agoRajcool27
3 years, 7 months agoEarlBrillantes061816
3 years, 7 months agoCCNPWILL
3 years, 7 months agoAtanu_M
3 years, 7 months agoVipG
3 years, 7 months agoFrostForrest
3 years, 7 months agoPanos1313
2 years, 5 months agoanpt
3 years, 8 months agototo059
3 years, 8 months agoguru_ji
3 years, 8 months agoSirReadAlot
3 years, 8 months agoAWSforWork
3 years, 7 months agoGangs010
3 years, 7 months agoKALRAV
3 years, 8 months ago