AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company operates under a multi-account strategy where one account is managed by the security engineers and another is operated by a separate team responsible for network administration. The security team needs to allow the network administration team's account access to a specific Amazon S3 bucket without broadening the access to other accounts. Which of the following is the MOST secure way to grant the required access?
Set up a bucket policy that limits access to the S3 bucket based on the source IP range of the network administration team's office location.
Edit the S3 bucket's Access Control List (ACL) to include the user identifiers from the team handling network administration.
Implement a policy for individual users in the security engineers' account that grants permissions to the network administration team.
Attach a resource-based policy directly to the S3 bucket identifying the network administration team's account as the principal with the specified permissions.
Attach a resource-based policy (bucket policy) to the S3 bucket that identifies the network administration team's AWS account as the principal and grants only the required permissions. A bucket policy is evaluated in the account that owns the resource and explicitly supports specifying an entire account in the Principal element, which cleanly limits access to that account.
IAM identity-based policies in the security engineers' account cannot by themselves grant principals from another account access to the bucket; a resource-based policy in the bucket owner's account is still required for cross-account access. Although legacy S3 ACLs can grant permissions to another AWS account via that account's canonical user ID, AWS now recommends disabling ACLs and using bucket policies for simpler management and finer-grained control. Restricting access by source IP address does not satisfy the requirement because any principal from any account could still reach the bucket if it originates from the allowed network range.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a resource-based policy in AWS?
Open an interactive chat with Bash
What are the differences between resource-based policies and IAM policies?
Open an interactive chat with Bash
Why is using IAM user policies or modifying ACLs less secure than using a resource-based policy?