AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect needs to allow team members to access Amazon S3 buckets in two different AWS accounts: a development account and a production account. The team currently has access to S3 buckets in the development account by using unique IAM users that are assigned to an IAM group that has appropriate permissions in the account.

The solutions architect has created an IAM role in the production account. The role has a policy that grants access to an S3 bucket in the production account.

Which solution will meet these requirements while complying with the principle of least privilege?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Attach the Administrator Access policy to the development account users.

Add the development account as a principal in the trust policy of the role in the production account.

Turn off the S3 Block Public Access feature on the S3 bucket in the production account.

Create a user in the production account with unique credentials for each team member.

Explanation:

Explanation

Correct Answer: B - Add the development account as a principal in the trust policy of the role in the production account.

Why Option B is Correct:

Cross-Account Access via IAM Roles: This is the AWS best practice for allowing users from one AWS account to access resources in another account. The IAM role in the production account needs to trust the development account.
Principle of Least Privilege: The role already has a policy granting access to the S3 bucket, so users from the development account will only get the permissions defined in that role's policy - no more, no less.
No Credential Sharing: Team members continue using their existing IAM users in the development account and can assume the role in the production account without needing separate credentials.

Why Other Options are Incorrect:

A. Attach the Administrator Access policy to the development account users.

Violates the principle of least privilege by granting excessive permissions (administrator access)
Doesn't actually solve the cross-account access problem

C. Turn off the S3 Block Public Access feature on the S3 bucket in the production account.

Creates a security risk by potentially making the bucket publicly accessible
Doesn't provide controlled access to specific team members
Violates security best practices

D. Create a user in the production account with unique credentials for each team member.

Creates credential management overhead (multiple sets of credentials per user)
Doesn't leverage the existing IAM setup in the development account
Less secure than using cross-account IAM roles

Implementation Steps:

Modify the trust policy of the IAM role in the production account to include the development account's ID as a trusted entity.
Grant IAM users in the development account permission to assume the role in the production account.
Team members can then use AWS STS (Security Token Service) to assume the role and access the S3 bucket in the production account.

This approach maintains security, follows AWS best practices, and complies with the principle of least privilege.

Powered ByGPT-5.2

Comments

Loading comments...