ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 351 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 351
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company provides an AWS account for each of its teams. Members of each team authenticate with AWS by using user accounts in their own team’s account.

The company created a project-specific AWS account for collaboration by three or more teams. The company also created a new Amazon S3 bucket inside this new account. There is no S3 bucket policy or S3 ACL. A security engineer must implement a secure solution so that all teams can read objects and write to objects that are stored in the S3 bucket.

What should the security engineer do to meet these requirements?

  • A. In the same AWS account where the S3 bucket resides, update the bucket’s ACL to include the canonical user ID of the teams’ AWS accounts. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket
  • B. In the same AWS account where the S3 bucket resides, create an IAM role that has appropriate permissions for the bucket. Include a trust policy that specifies the teams’ AWS accounts as the principals. Teams will assume the role when they read objects and write to objects in the bucket
  • C. In the same AWS account where the S3 bucket resides, add a bucket policy to allow all the teams to read objects and write to objects in the bucket. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket.
  • D. In the same AWS account where the S3 bucket resides, create an IAM user, an IAM group, and access keys for each team. Each team will share its access keys when the team reads objects and writes to objects in the bucket.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by AdamWest at Nov. 20, 2022, 8:49 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 5 months ago
Selected Answer: B
B https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
upvoted 8 times
Wilson_S
2 years, 4 months ago
“ By assuming an IAM role in Account A, the Amazon S3 operation is determined by the access policy. The IAM role is deemed as an API call made by a local IAM entity in Account A. A bucket policy or an ACL for cross-account access isn't required. ”
upvoted 3 times
...
...
tryks
Highly Voted 2 years, 5 months ago
Selected Answer: C
Answer C https://beabetterdev.com/2022/03/15/s3-bucket-policy-vs-iam/
upvoted 5 times
...
Toptip
Most Recent 1 year, 11 months ago
Selected Answer: B
B is correct. C is a trap.. it says: "Teams will specify the account number of the AWS account where the bucket is located " which doesn't make sense at all...
upvoted 2 times
...
6_8ftwin
1 year, 11 months ago
B bucket names use a global namespace
upvoted 1 times
...
ITGURU51
2 years ago
This solution allows all teams to read and write objects in the S3 bucket securely by assuming a role with appropriate permissions. The trust policy ensures that only the specified teams’ AWS accounts can assume the role. This is a secure and scalable solution for cross-account access to an S3 bucket. B
upvoted 1 times
...
nairj
2 years, 1 month ago
Answer is B: Delegate access across AWS account using Cross Account access - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html C is not correct since the answer says users pass on the account number while accessing the bucket?
upvoted 1 times
...
Mickey321
2 years, 2 months ago
Why B is correct. It says IAM role is created in same AWS account which has S3. IAM role should be created in other teams role.. What I am missing?
upvoted 1 times
...
sakibmas
2 years, 4 months ago
Selected Answer: B
Easy cross-account management is the best reason to use bucket policies over IAM. However, C could NOT be the answer as it is not possible to specify the account number while reading or writing objects.
upvoted 2 times
...
Smartphone
2 years, 4 months ago
C could NOT be the answer. In the option it is mentioned..."specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket" How account number can be mentioned in the CLI while reading and writing the object. The cross account access would be possible by configuring new profile.
upvoted 2 times
Smartphone
2 years, 4 months ago
B is a correct Answer. 1. Create a trust relation by creating a role in the account by specifying the Account ID 2. Assume the role while accessing the object and bucket contents.
upvoted 1 times
...
...
YellowSky002
2 years, 4 months ago
The Answer is C. This is a typical cross account access. where you need 2 things: 1. Create an S3 bucket resource policy in the Account where S3 is created 2. Create an IAM role or user in Accounts of the teams seeking access.
upvoted 1 times
...
aj2aj2
2 years, 4 months ago
C - Agreed - If you have a certain S3 bucket that is going to be used throughout an organization or group of teams, it makes more sense to control permission on the bucket level.
upvoted 2 times
...
D2
2 years, 5 months ago
Selected Answer: B
Answer B
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago