AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An organization wants to allow an application running on EC2 instances fleet in their AWS account to access objects in an S3 bucket located in another AWS account. The S3 bucket contains confidential data that must be securely accessed. The organization wants to ensure that the application has only the required permissions to access the specific S3 bucket and objects. What is the most secure and flexible way to achieve this?
Create an IAM user in the S3 bucket's account and store its access keys on the EC2 instances to allow access to the bucket.
Copy the objects from the S3 bucket in the other account to an S3 bucket in the EC2 instance's account, and give the EC2 instances access to the local bucket.
Use an IAM role on the EC2 instances with permissions to access the S3 bucket, and set up cross-account access using a resource-based policy on the S3 bucket.
Configure the EC2 instance's security group to allow outbound traffic to the S3 bucket's VPC endpoint.