AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An organization wants to allow an application running on EC2 instances fleet in their AWS account to access objects in an S3 bucket located in another AWS account. The S3 bucket contains confidential data that must be securely accessed. The organization wants to ensure that the application has only the required permissions to access the specific S3 bucket and objects. What is the most secure and flexible way to achieve this?
You selected this option
Copy the objects from the S3 bucket in the other account to an S3 bucket in the EC2 instance's account, and give the EC2 instances access to the local bucket.
You selected this option
Use an IAM role on the EC2 instances with permissions to access the S3 bucket, and set up cross-account access using a resource-based policy on the S3 bucket.
You selected this option
Configure the EC2 instance's security group to allow outbound traffic to the S3 bucket's VPC endpoint.
You selected this option
Create an IAM user in the S3 bucket's account and store its access keys on the EC2 instances to allow access to the bucket.
The most secure and flexible way is to use an IAM role on the EC2 instances with permissions to access the S3 bucket, and set up cross-account access using a resource-based policy on the S3 bucket. This approach uses IAM roles to grant temporary credentials to the EC2 instances, avoiding the need to store long-term access keys. The resource-based policy on the S3 bucket allows the IAM role from the other account to access the bucket, enabling cross-account access while adhering to the principle of least privilege.
Creating an IAM user and storing access keys on EC2 instances is less secure because it involves managing long-term credentials, which can be compromised. This approach is not flexible either, as it involves access keys management in each EC2 instance.
Configuring the EC2 instance's security group affects network traffic but does not grant permissions to access S3 buckets; AWS permissions are managed via IAM policies, not security groups.
Copying the objects to a local S3 bucket duplicates data unnecessarily and requires additional management, hence not flexible. It also does not solve the cross-account access issue securely.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.