Answer-first summary for fast verification
Answer: Develop an IAM role in the sales account with access to the S3 bucket. Enable the marketing account to assume this IAM role to access the S3 bucket. Establish a trust relationship between the new IAM role in the sales account and the QuickSight role in the marketing account.
The correct answer is D. Creating an IAM role in the sales account with the necessary permissions to access the S3 bucket and allowing the marketing account to assume this role provides a secure and efficient solution. This approach avoids the need for data duplication or unnecessary alterations to S3 bucket policies or KMS grants. It also eliminates operational overhead by leveraging IAM roles and trust relationships, which are designed for secure cross-account access. This method ensures the marketing team can access the S3 data without duplicating data or re-encrypting it, thus maintaining data security and integrity.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
In a multi-account AWS environment, the sales team stores large amounts of data in an encrypted Amazon S3 bucket, while the marketing team utilizes Amazon QuickSight for data visualization. The marketing team requires access to the sales team's S3 data, which is encrypted with an AWS KMS key. The marketing team has already established an IAM service role for QuickSight in their account. What is the most efficient and secure method to grant the marketing team access to the sales team's S3 data without excessive operational overhead?
A
Establish a new S3 bucket in the marketing account and set up an S3 replication rule in the sales account to transfer objects to the new bucket. Modify QuickSight permissions in the marketing account to allow access to the new S3 bucket.
B
Implement an SCP to permit access to the S3 bucket for the marketing account. Utilize AWS RAM to share the KMS key from the sales account with the marketing account. Adjust QuickSight permissions in the marketing account to enable access to the S3 bucket.
C
Amend the S3 bucket policy in the marketing account to authorize the QuickSight role. Create a KMS grant for the encryption key used in the S3 bucket, granting decrypt permissions to the QuickSight role. Update QuickSight permissions in the marketing account to allow access to the S3 bucket.
D
Develop an IAM role in the sales account with access to the S3 bucket. Enable the marketing account to assume this IAM role to access the S3 bucket. Establish a trust relationship between the new IAM role in the sales account and the QuickSight role in the marketing account.