Answer-first summary for fast verification
Answer: Add the development account as a principal in the trust policy of the role in the production account.
## Explanation **Correct Answer: B** - Add the development account as a principal in the trust policy of the role in the production account. ### Why Option B is Correct: 1. **Cross-Account Access via IAM Roles**: This is the AWS best practice for allowing users from one AWS account to access resources in another account. The IAM role in the production account needs to trust the development account. 2. **Principle of Least Privilege**: The role already has a policy granting access to the S3 bucket, so users from the development account will only get the permissions defined in that role's policy - no more, no less. 3. **No Credential Sharing**: Team members continue using their existing IAM users in the development account and can assume the role in the production account without needing separate credentials. ### Why Other Options are Incorrect: **A. Attach the Administrator Access policy to the development account users.** - Violates the principle of least privilege by granting excessive permissions (administrator access) - Doesn't actually solve the cross-account access problem **C. Turn off the S3 Block Public Access feature on the S3 bucket in the production account.** - Creates a security risk by potentially making the bucket publicly accessible - Doesn't provide controlled access to specific team members - Violates security best practices **D. Create a user in the production account with unique credentials for each team member.** - Creates credential management overhead (multiple sets of credentials per user) - Doesn't leverage the existing IAM setup in the development account - Less secure than using cross-account IAM roles ### Implementation Steps: 1. Modify the trust policy of the IAM role in the production account to include the development account's ID as a trusted entity. 2. Grant IAM users in the development account permission to assume the role in the production account. 3. Team members can then use AWS STS (Security Token Service) to assume the role and access the S3 bucket in the production account. This approach maintains security, follows AWS best practices, and complies with the principle of least privilege.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A solutions architect needs to allow team members to access Amazon S3 buckets in two different AWS accounts: a development account and a production account. The team currently has access to S3 buckets in the development account by using unique IAM users that are assigned to an IAM group that has appropriate permissions in the account.
The solutions architect has created an IAM role in the production account. The role has a policy that grants access to an S3 bucket in the production account.
Which solution will meet these requirements while complying with the principle of least privilege?
A
Attach the Administrator Access policy to the development account users.
B
Add the development account as a principal in the trust policy of the role in the production account.
C
Turn off the S3 Block Public Access feature on the S3 bucket in the production account.
D
Create a user in the production account with unique credentials for each team member.