Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 903 discussion

Answer A By creating separate access points for each application, you can enforce access controls specific to their respective prefixes while minimizing administrative complexity. This approach provides a clean separation of permissions and reduces the risk of misconfigurations. Options B, C, and D are not as efficient or straightforward: Option B (S3 Batch Operations) involves setting ACL permissions for each object individually, which can be cumbersome and time-consuming. Option C (replicating objects to new S3 buckets) introduces additional buckets and replication rules, increasing management overhead. Option D (replicating objects and creating dedicated S3 access points) adds unnecessary complexity by combining replication and access point creation.

"unique prefix for each application" hence access points. Also, ACL is not recommended by AWS.

A. Create dedicated S3 access points and access point policies for each application.

Explanation: S3 Access Points: These provide a way to manage access to shared data sets in Amazon S3. Each access point has a unique hostname and a policy that is specific to the use case, allowing for granular control over access to data. Access Point Policies: These policies can be tailored to restrict access to specific prefixes within an S3 bucket, ensuring that each application only has access to its designated prefix.

Answer B Taking into consideration that we have "numerous applications" (10,100,1000?) and we need meet requirements with the LEAST operational overhead I would go into authomatization of operations hence Batch Operations seems to be good choice. https://aws.amazon.com/blogs/storage/updating-amazon-s3-object-acls-at-scale-with-s3-batch-operations/

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html

Create an S3 Batch Operations job to set the ACL permissions for each object in the S3 bucket