ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 137 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 137
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company’s marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects.

A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Access Denied error.

The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need.

Which combination of steps should the solutions architect take to meet these requirements? (Choose three.)

  • A. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account.
  • B. Update the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
  • C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role.
  • D. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to an anonymous user.
  • E. Update the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role.
  • F. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:59 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
God_Is_Love
Highly Voted 1 year, 7 months ago
Selected Answer: ACF
B wrong - full permissions ? when question asks for minimum permissions. D wrong - anonymous user ? anonymous does not work E wrong - encrypt permissions ? No Strategy account needs decrypt permissions So, A,C,F
upvoted 13 times
God_Is_Love
1 year, 7 months ago
first the source bucket needs to give grant access thru bucket policy and KMS key policy (A,C options) Secondly, Strategy IAM role needs to give access to read from S3 bucket and also KMS key (Option F)
upvoted 3 times
...
...
leehjworking
Highly Voted 1 year, 5 months ago
Selected Answer: ACF
B full permission ? X D anonymous? X E encryption not needed for strategy team
upvoted 6 times
...
career360guru
Most Recent 10 months, 1 week ago
Selected Answer: ACF
A, C and F
upvoted 1 times
...
SK_Tyagi
1 year, 2 months ago
Selected Answer: ACF
By rule of elimination BDE are wrong. God_Is_Love is spot on
upvoted 1 times
...
NikkyDicky
1 year, 3 months ago
Selected Answer: ACF
its ACF
upvoted 2 times
...
OCHT
1 year, 6 months ago
Selected Answer: ACF
Option B suggests updating the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key. This option is not ideal because it grants more permissions than necessary. The requirement is to provide users with only the minimum permissions they need to view objects in the S3 bucket. Option D suggests creating a bucket policy that includes read permissions for the S3 bucket and setting the principal of the bucket policy to an anonymous user. This option is not ideal because it would allow anyone to read objects in the S3 bucket, which could pose a security risk. Option E suggests updating the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role. This option is not necessary because the requirement is for users in the Strategy account to be able to view objects in the S3 bucket, not to encrypt them.
upvoted 3 times
...
mfsec
1 year, 7 months ago
Selected Answer: ACF
ACF is the best choice
upvoted 2 times
...
taer
1 year, 7 months ago
Selected Answer: ACF
A. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account. C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role. F. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
upvoted 2 times
...
zozza2023
1 year, 9 months ago
Selected Answer: ACF
A C AND F
upvoted 3 times
...
Untamables
1 year, 9 months ago
Selected Answer: ACF
https://repost.aws/knowledge-center/cross-account-access-denied-error-s3
upvoted 3 times
...
masetromain
1 year, 9 months ago
Selected Answer: ACF
A, C, and F are the correct options.
upvoted 4 times
...
masetromain
1 year, 9 months ago
A, C, and F are the correct options. Option A creates a bucket policy that includes read permissions for the S3 bucket and sets the principal of the bucket policy to the account ID of the Strategy account. This ensures that users in the Strategy account have the necessary permissions to access the S3 bucket. Option C updates the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role. This ensures that the users in the Strategy account have the necessary permissions to decrypt the objects stored in the S3 bucket. Option F updates the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key. This ensures that the users in the Strategy account have the necessary permissions to read the objects in the S3 bucket and to decrypt them using the custom KMS key. The other options are not correct because they either grant unnecessary permissions (B, D) or grant permissions in the wrong way (E).
upvoted 3 times
...
zhangyu20000
1 year, 9 months ago
ACF is correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago