AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A development team runs an application on Amazon EC2 instances in Account A. The application must upload daily log files to a private Amazon S3 bucket that is owned by Account B. Security mandates removal of all long-term credentials on the instances and wants access restricted only to writing objects to that specific bucket. Which solution meets these requirements while following AWS IAM best practices?
Attach the AmazonS3FullAccess managed policy to the existing EC2 instance profile in Account A and add a bucket policy in Account B that grants the role permission to write objects.
Create an IAM user in Account B with programmatic access, store the user's access keys in AWS Systems Manager Parameter Store, and have the EC2 instances read the keys at runtime.
Enable S3 cross-region replication from a new bucket in Account A to the target bucket in Account B so logs are copied automatically without additional IAM configuration.
In Account B, create an IAM role that allows s3:PutObject only on the log bucket and trusts Account A. Allow the EC2 instance profile in Account A to assume this role with STS, and have the application use the temporary credentials to upload logs.
The recommended pattern for cross-account access is to create a role in the resource-owning account and allow the calling account to assume it. A role in Account B can be given a least-privilege policy that permits only s3:PutObject on the target bucket. Its trust policy lists Account A, so the EC2 instance profile in Account A can assume the role through AWS STS. No long-term keys are stored, and the permissions are scoped to a single operation on one bucket. Creating users with access keys retains long-term credentials. Granting AmazonS3FullAccess to the instance profile violates least-privilege. S3 replication or anonymous writes do not satisfy the requirement or security controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS STS, and how does it facilitate cross-account access?
Open an interactive chat with Bash
What is the principle of least privilege in the context of IAM roles?
Open an interactive chat with Bash
What is the difference between IAM role trust policies and permission policies?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .