Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 59 discussion

"The above command should be executed with destination AWS IAM user account credentials only otherwise the copied objects in destination S3 bucket will still have the source account permissions and won’t be accessible by destination account users." According to https://medium.com/tensult/copy-s3-bucket-objects-across-aws-accounts-e46c15c4b9e1.

I switch to BDF; Step B is necessary so that the user in the destination account has the necessary permissions to access the source bucket and list its contents, read its objects. Step D is needed so that the user in the destination account has the necessary permissions to access the destination bucket and list contents, put objects, and set object ACLs Step F is necessary because the aws s3 sync command needs to be run using the IAM user credentials from the destination account, so that the objects will have the appropriate permissions for the user in the destination account once they are copied. The other choices are not correct because : A. and C. are about creating policies in the source account but the user who wants to access the data is in the destination account E. is about running the command with the source account, which is not suitable because it will lead to copied objects in destination S3 bucket still have the source account permissions and won’t be accessible by destination account users.

BDF is the answer - see: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/copy-data-from-an-s3-bucket-to-another-account-and-region-by-using-the-aws-cli.html

B. Create a bucket policy to allow a user in the destination account to list the source bucket’s contents and read the source bucket’s objects. Attach the bucket policy to the source bucket. D. Create an IAM policy in the destination account. Configure the policy to allow a user in the destination account to list contents and get objects in the source bucket, and to list contents, put objects, and set objectACLs in the destination bucket. Attach the policy to the user. F. Run the aws s3 sync command as a user in the destination account. Specify the source and destination buckets to copy the data.

B. Create a bucket policy to allow a user in the destination account to list the source bucket’s contents and read the source bucket’s objects. Attach the bucket policy to the source bucket. This step ensures that the destination account has the necessary permissions to access the data in the source bucket. D. Create an IAM policy in the destination account. Configure the policy to allow a user in the destination account to list contents and get objects in the source bucket, and to list contents, put objects, and set object ACLs in the destination bucket. Attach the policy to the user. This step provides the necessary permissions for a user in the destination account to both access the source bucket’s contents and write to the destination bucket.

Not A. A bucket policy attached to destination bucket cannot allow the source bucket to execute actions Not C. Because we are picking option B which relies on a policy allowing a user in the destination account. Not E. Because we are picking options B and D which rely on a user in the destination account

No need for more explanations, the ones below are enough.

BD: https://repost.aws/knowledge-center/cross-account-access-s3 F: https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html

A is incorrect since a bucket policy cannot allow another bucket to do anything. B. Is however an option since you can indeed create a bucket policy to allow a user in another account to perform operations on the bucket. Once you have chosen B, then D and F are the only possible choices.

BCE should also work Create bucket policy at destination bucket to allow permission on source aws user Create IAM policy for source aws user to list/get/put on both buckets Run s3 sync command from source bucket to destination bucket

I prefer BDF, I do not know why the correct answer is ADF

source bucket: allow destination user + list & get contents permission destination bucket: allow IAM user to get source bucket contents + destination bucket get/list/put objects + aws sync command

it's BDF for sure

The entire idea of A is wrong (you achieve nothing by giving rights from one bucket to another) so we start from B and the rest are a common sense

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/copy-data-from-an-s3-bucket-to-another-account-and-region-by-using-the-aws-cli.html

Logical answer : Who ever uploads to a bucket becomes its owner. So A should ring a flaw in it. Similar issue in C. So straight away, A, C are wrong. that points to B,D to be correct. Refer https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/copy-data-from-an-s3-bucket-in-one-account-and-region-to-another-account-and-region.html Now E or F ? the hint is in D. Destination account user has the necessary privileges to get/put objects permission. So choose destination account or run sync/copy commands. So the answer should be B, D , F

The parts BDF fit together in a way that works. I think choosing this direction (pulling from the destination account) is slightly more secure than then the other other way round(pushing from source to destination) as only read access is granted to the foreign account but no write access - especially regarding human error: one cannot accidentally tamper with the source, so the worst thing that could happen is that one needs to sync again. The other options don't fit together with other parts.