A company needs to share an Amazon S3 bucket with an external vendor. The bucket owner must be able to access all objects. Which action should be taken to share the S3 bucket?
A.
Update the bucket to be a Requester Pays bucket.
B.
Update the bucket to enable cross-origin resource sharing (CORS).
C.
Create a bucket policy to require users to grant bucket-owner-full-control when uploading objects.
D.
Create an IAM policy to require users to grant bucket-owner-full-control when uploading objects.
Suggested Answer:C🗳️
By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access. The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket. Similar: https://aws.amazon.com/it/premiumsupport/knowledge-center/s3-require-object-ownership/ Resolution Add a bucket policy that grants users access to put objects in your bucket only when they grant you (the bucket owner) full control of the object. Reference: https://aws.amazon.com/it/premiumsupport/knowledge-center/s3-bucket-owner-access/
C is correct.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/#:~:text=During%20a%20put%20or%20copy%20operation%2C%20the%20object%20owner%20can,control%20to%20the%20bucket%20owner.&text=You%20can%20use%20a%20bucket,owner%2Dfull%2Dcontrol%22.
Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.
https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html
CORS is more to address security feature where your browser will block if the S3 static website redirects to another origin.
No mention of redirection/website here.
the question like this, you have a bucket and you want to share it with external vendor. after sharing the vendor start uploding objects to your bucket. by defult, the objects are owned by the account that uplod them "the vendor not you" even though that you are the owner of the bucket but you still dont have full permision acess to the object that are in. you want a full acess, then you have to creat a bucket policy force anyone upload a object to your bucket to give you full acess. Ans C
- C
- "share a bucket with 3rd party provider" - this means the bucket owner and this provider can CRUD objects on the bucket
- By default, permissions for a newly-created object are restricted to the OBJECT OWNER, and we need to allow access to the BUCKET OWNER
- We can do that via an object ACL "bucket-owner-full-control"
C vs D.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-require-object-ownership/
'grant bucket-owner-full-control' is a bucket policy not IAM policy.
Answer is C.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html:
"With Requester Pays buckets, the requester instead of the bucket owner pays the cost of the request and the data download from the bucket"
A is wrong
https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/cors.html:
"Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain"
B is wrong
https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
"S3 Object Ownership is an Amazon S3 bucket setting that you can use to control ownership of new objects that are uploaded to your buckets. By default, when other AWS accounts upload objects to your bucket, the objects remain owned by the uploading account. With S3 Object Ownership, any new objects that are written by other accounts with the bucket-owner-full-control canned access control list (ACL) automatically become owned by the bucket owner, who then has full control of the objects."
Answer is C
C is the answer
Require that objects grant the bucket owner full control
You can use a bucket policy to require that any objects uploaded to your bucket by another account must set the ACL as "bucket-owner-full-control"
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/
The answer is A. Read about 'Requester pays bucket" and you will get it if you are smart.
CORS is not possible here so eliminated and C,D are talking about uploading only so those are eliminated too.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
manoj101
Highly Voted 3 years, 7 months agorocky2021
3 years, 7 months agoawsgumpy
3 years, 6 months agogargaditya
3 years, 5 months agoAbdullah777
Highly Voted 3 years, 6 months agoBECAUSE
Most Recent 1 year, 11 months agoCurious76
2 years, 7 months agoweilun_tann
3 years, 4 months agogargaditya
3 years, 5 months agowoke
3 years, 5 months agosyu31svc
3 years, 6 months agoKK_uniq
3 years, 6 months agoYogi
3 years, 6 months agoAWSforWork
3 years, 6 months agoAtanu_M
3 years, 6 months agoMashhour
3 years, 6 months agoJay_12
3 years, 6 months agochristy5005
3 years, 6 months agoargol
3 years, 6 months agoargol
3 years, 6 months agoAWSGeeeeeeK
3 years, 6 months agoyoungoose
3 years, 6 months ago