Exam AWS Certified Developer Associate topic 1 question 84 discussion

I think it might be B and D. For cross account access, you need to set resource policy on the S3 bucket (to give access to the role in account A) as well as the IAM role in Account A having access to the bucket in B: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html

Step 1: The application running on Account A’s EC2 instance sends a request to access the S3 bucket in Account B. Step 2: The EC2 instance in Account A must assume an IAM role from Account B. This is done via a trust policy that allows Account A’s EC2 instance to assume the role in Account B. Step 3: The IAM role in Account B allows access to the S3 bucket by having appropriate S3 permissions (e.g., s3:GetObject). Step 4: The S3 bucket policy in Account B needs to ensure that the IAM role in Account B has the permissions to access the bucket.

correct answer BD

I have set up cross-account access to S3 and know in practice that the correct answers are B and D.

ChatGTP said: A. Create an IAM role with S3 read permissions in Account B. This IAM role should have a policy that allows it to read from the S3 bucket. D. Configure the bucket policy in Account B to grant permissions to the instance profile role. The bucket policy should be updated to allow the IAM role from Account A to access the bucket. Option B is not necessary because the IAM role with the necessary permissions is being created in Account B, not Account A. Option C is not recommended because making the S3 bucket public could expose it to unauthorized access. Option E is not correct because trust policies are used to delegate permissions to IAM entities, but in this case, we need to grant access to an S3 bucket, which is done through a bucket policy or an IAM policy.

I was voting for A and B but reading the comments I totally agree with you guys, I changed my mind. The answer is B and D it's also explained in this YT tutorial: https://www.youtube.com/watch?v=Ob1zYHjqNwo

I think it is B and D, for every cross-account access, trust policy is required.

A. Create an IAM role with S3 read permissions in Account B. This will allow the application to assume the IAM role and access the S3 bucket in Account B. D. Configure the bucket policy in Account B to grant permissions to the instance profile role. This will allow the application running on the EC2 instances in Account A to access the S3 bucket in Account B by assuming the IAM role created in step A.

B, C, and E are incorrect because: B. Updating the instance profile IAM role in Account A with S3 read permissions is not the correct solution because the S3 bucket is in Account B, and the instance profile IAM role is in Account A. C. Making the S3 bucket public is not a recommended approach since it would expose the S3 bucket to anyone with the S3 bucket URL. E. Adding a trust policy that allows s3:Get* permissions to the IAM role in Account B is not necessary since the IAM role will be used to access the S3 bucket, not assume other roles.

I think that A & D

i think the steps are A and B A. Create an IAM role with S3 read permissions in Account B. B. Update the instance profile IAM role in Account A with S3 read permissions. https://repost.aws/knowledge-center/s3-instance-access-bucket

Yes its BD . The scenario very well explained below https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html

Refer to links provided in the chats below. Correct answer B&D

It's B&D

what about DE. it may not be B because yes ec2 needs access to s3 but the question is how to make the s3 bucket avaliable not whether or not the ec2 has the right to read from s3 E= make s3 bucket avaliable to be used by others D=use that s3 bucket. the instance is refering to the ec2

B and D is the answer

I think B & D https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/