LeetQuiz Logo
Privacy Policy•contact@leetquiz.com
© 2025 LeetQuiz All rights reserved.
AWS Certified Solutions Architect - Professional

AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

A company is running applications on AWS in a multi-account environment. The company's sales team and marketing team use separate AWS accounts in AWS Organizations. The sales team stores petabytes of data in an Amazon S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The marketing team needs access to data that the sates team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key. The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts. Which solution will meet these requirements with the LEAST operational overhead?

Exam-Like

Explanation:

Answer D is the correct solution because it leverages AWS' native cross-account access mechanisms to provide the necessary access with the least operational overhead. Here's why:

  1. IAM Role for Cross-Account Access:

    • Creating an IAM role in the sales account and granting it access to the S3 bucket allows for secure cross-account access. This IAM role can have a policy attached that grants necessary permissions to access the S3 bucket that holds the sales team's data.

  2. Assuming Role from Marketing Account:

    • The marketing account can assume the IAM role created in the sales account. This is a standard AWS best practice for cross-account access, ensuring that permissions are granted only when necessary and making use of AWS's robust IAM capabilities.

  3. Least Operational Overhead:

    • This approach avoids the complexity of creating and managing new S3 buckets, replication rules, and SCP configurations. It also avoids the potential pitfalls associated with these methods, such as data consistency issues and increased cost.
    • Using AWS RAM and SCPs, as mentioned in other options, introduces additional steps and thus more operational overhead compared to directly using IAM roles and trust policies.

  4. Trust Relationship:

    • Updating the QuickSight role to create a trust relationship with the new IAM role in the sales account ensures that the QuickSight can securely access data in the S3 bucket by assuming the cross-account role. It leverages existing AWS IAM functionalities without additional configuration complexities.

  5. Secure and Scalable:

    • This method ensures a scalable, secure, and straightforward solution that adheres to the principle of least privilege. It allows for granular control over permissions and ensures operations remain manageable as organizational needs grow.

This combination of IAM roles, cross-account trust policies, and role assumption minimizes security risks and reduces administrative overhead, making it the optimal solution for granting secure access across AWS accounts.

Powered ByGPT-5