DVA-C02 · Question #772
DVA-C02 Question #772: Real Exam Question with Answer & Explanation
The correct answer is A: Create an IAM role with S3 read permissions in Account B.. Create an IAM role in Account B that grants read access to the private S3 bucket so permissions are owned and controlled by the bucket’s account. Then use the bucket policy in Account B to allow the specific IAM principal (the role) to read objects from the bucket, enabling cross
Question
A developer is deploying an application on Amazon EC2 instances that run in Account A. In certain cases, this application needs to read data from a private Amazon S3 bucket in Account B. The developer must provide the application access to the S3 bucket without exposing the S3 bucket to anyone else. Which combination of actions should the developer take to meet these requirements? (Choose two.)
Options
- ACreate an IAM role with S3 read permissions in Account B.
- BUpdate the instance profile IAM role in Account A with S3 read permissions.
- CMake the S3 bucket public with limited access for Account A.
- DConfigure the bucket policy in Account B to grant permissions to the instance profile role.
- EAdd a trust policy that allows s3:Get* permissions to the IAM role in Account B.
Explanation
Create an IAM role in Account B that grants read access to the private S3 bucket so permissions are owned and controlled by the bucket’s account. Then use the bucket policy in Account B to allow the specific IAM principal (the role) to read objects from the bucket, enabling cross-account access without making the bucket public or broadly accessible.
Community Discussion
No community discussion yet for this question.