AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct approach is to create a dedicated IAM role in each member account with read-only permissions to the S3 buckets and a trust policy that allows an IAM role in the Security account to assume it. This is the AWS best practice for scalable and secure cross-account access. When a principal assumes a role, they temporarily acquire the permissions of that role, which supports the principle of least privilege by not granting persistent broad access. This method is highly scalable as the role creation can be automated across accounts using AWS CloudFormation StackSets.

Granting access directly via S3 bucket policies to a principal in another account is a valid method for cross-account access, but it is less scalable. Managing hundreds of individual bucket policies is more complex and error-prone than managing a single, centrally-deployed IAM role definition.

Creating IAM users in each member account is an anti-pattern. It leads to a proliferation of long-lived credentials, creates significant management overhead, and increases the security risk. Centralizing identities is a core security best practice.

Service Control Policies (SCPs) do not grant permissions. Instead, they act as permission guardrails, defining the maximum allowable permissions for an account or Organizational Unit (OU). An SCP alone cannot grant the security team access; permissions must still be explicitly granted via IAM policies or resource-based policies.