AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Explanation:

Explanation

Correct Answer: C - Configure cross-account access for the S3 bucket to the accounts that the agencies own.

Why Option C is Correct:

Security: Cross-account access allows the company to grant specific read permissions to each agency's AWS account without making the bucket public or creating IAM users in the source account.
Operational Efficiency: Agencies can manage their own IAM users and permissions within their accounts, reducing administrative overhead for the company.
Least Privilege: The company can grant only the necessary read permissions to each agency's account.
Scalability: As agencies are added or removed, the company only needs to update bucket policies or IAM roles, not manage individual user accounts.

Why Other Options are Incorrect:

Option A - Configure S3 global tables to replicate data for each agency:

S3 Global Tables are for cross-region replication, not for sharing data with external agencies.
This would create unnecessary data duplication and costs.
Doesn't address access control requirements.

Option B - Make the S3 bucket public for a limited time:

Major security risk: Public buckets expose data to anyone who discovers the bucket name.
Not compliant with security best practices.
Difficult to control and monitor access.
Doesn't provide audit trails for who accessed the data.

Option D - Set up an IAM user for each analyst in the source data account:

Poor operational efficiency: The company would need to manage IAM users for all analysts across all agencies.
Security concerns: The company would need to manage credentials, MFA, and access policies for external users.
Scalability issues: As agencies and analysts change, the company would need to constantly update IAM users.
Compliance challenges: Harder to maintain audit trails and separation of duties.

Best Practices Implemented by Option C:

Cross-account IAM roles: Create roles that agencies can assume from their accounts.
Bucket policies: Use S3 bucket policies to grant cross-account access.
Resource-based policies: Combine with IAM policies in agency accounts.
AWS Organizations: Can be used with Service Control Policies for additional governance.

This approach follows AWS security best practices by maintaining proper access control, enabling auditability, and minimizing operational overhead for the data owner.

Explanation:

Explanation

Correct Answer: C - Configure cross-account access for the S3 bucket to the accounts that the agencies own.

Why Option C is Correct:

Security: Cross-account access allows the company to grant specific read permissions to each agency's AWS account without making the bucket public or creating IAM users in the source account.
Operational Efficiency: Agencies can manage their own IAM users and permissions within their accounts, reducing administrative overhead for the company.
Least Privilege: The company can grant only the necessary read permissions to each agency's account.
Scalability: As agencies are added or removed, the company only needs to update bucket policies or IAM roles, not manage individual user accounts.

Why Other Options are Incorrect:

Option A - Configure S3 global tables to replicate data for each agency:

S3 Global Tables are for cross-region replication, not for sharing data with external agencies.
This would create unnecessary data duplication and costs.
Doesn't address access control requirements.

Option B - Make the S3 bucket public for a limited time:

Major security risk: Public buckets expose data to anyone who discovers the bucket name.
Not compliant with security best practices.
Difficult to control and monitor access.
Doesn't provide audit trails for who accessed the data.

Option D - Set up an IAM user for each analyst in the source data account:

Poor operational efficiency: The company would need to manage IAM users for all analysts across all agencies.
Security concerns: The company would need to manage credentials, MFA, and access policies for external users.
Scalability issues: As agencies and analysts change, the company would need to constantly update IAM users.
Compliance challenges: Harder to maintain audit trails and separation of duties.

Best Practices Implemented by Option C:

Cross-account IAM roles: Create roles that agencies can assume from their accounts.
Bucket policies: Use S3 bucket policies to grant cross-account access.
Resource-based policies: Combine with IAM policies in agency accounts.
AWS Organizations: Can be used with Service Control Policies for additional governance.

This approach follows AWS security best practices by maintaining proper access control, enabling auditability, and minimizing operational overhead for the data owner.

Comments (0)

No comments yet.

A company collects 10 GB of telemetry data daily from various machines. The company stores the data in an Amazon S3 bucket in a source data account. The company has hired several consulting agencies to use this data for analysis. Each agency needs read access to the data for its analysts. The company must share the data from the source data account by choosing a solution that maximizes security and operational efficiency. Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure S3 global tables to replicate data for each agency.

Make the S3 bucket public for a limited time. Inform only the agencies.

Configure cross-account access for the S3 bucket to the accounts that the agencies own.