Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 101 discussion

The correct answer is D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight role to create a trust relationship with the new IAM role in the sales account. This solution meets the requirements by allowing the marketing team to access the data in the S3 bucket in the sales account through assuming an IAM role, which eliminates the need to copy the data or share the KMS key, and also eliminates the need to modify the S3 bucket policy or create a KMS grant. This solution allows to use the same access to the bucket without duplicating data and re-encrypting it.

The catch is in the answers - "Update the S3 bucket policy in the marketing account". We don't need to access a bucket in the marketing but the sales account.

The correct answer is D. Rationale: - Lowest operational overhead using native IAM mechanisms - Enables secure cross-account access through role assumption - Maintains centralized access control - No data duplication or additional storage costs - Works seamlessly with existing KMS encryption Other options' drawbacks: A: Duplicates data and costs B: SCPs aren't for granular access control C: Incorrect bucket policy location (bucket is in sales account, not marketing)

Option C provides the most straightforward and efficient solution with the least operational overhead. It directly addresses the cross-account access need while maintaining security through appropriate S3 bucket and KMS key policies.

Creating an IAM role in the sales account that grants access to the S3 bucket and allowing the marketing account (QuickSight) to assume that role.

C. Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.

There must be a typo in C. In the context of option D, if Amazon QuickSight needs to access data in an S3 bucket in a different AWS account, and the setup involves assuming multiple roles, this approach could be problematic. QuickSight would not be able to assume the role in the sales account while simultaneously using its own role in the marketing account.

What is QuickSight rote? It can't be D. I'm assuming there is no typo, so C is wrong too. B is wrong because you can't grant that permission with SCPs. A would work provided that the replication permissions are set up correctly. It's not great because I don't think it's necessary to duplicate the data, but it's the only viable option we are given.

C should be correct if change typo from market account to sales account for S3 bucket policy statement.

Agree with other answers on C. This question is clearly a typo, and "marketing" should be changed to "sales" in C. The resolution for this scenario is even stated in the AWS Knowledge base, and the solution is identical when replacing "marketing" with "sales": https://repost.aws/knowledge-center/quicksight-cross-account-s3

It should be C and there should be a misspelling in "Update the S3 bucket policy in the marketing account" when it's referring to sales account

I think this is a great question with poorly phrased answers. If I have to choose between C and D, it would be neither since they both do not provide complete answers. Let me explain: For C, you are updating the S3 bucket policy for the marketing account, when you should be doing that for the sales account. So, C is wrong. However, if that were fixed to the sales account, everything would make sense, since the sales account would be providing the right policy, granting the correct KMS key permission, and the marketing account would be tweaking its permission in QuickSight. For D, it is wrong simply because it says nothing about providing KMS key grant. Not only do you have to establish trust policy in the QuickSight role to access S3 bucket, you have to allow Decrypt to happen. You have to explicitly spell this out (read the permission part in the link below). https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

Option C: Update the S3 bucket policy in the "marketing account" ....lol

The answer is C. Update the S3 bucket policy in the sales account to grant access to the QuickSight role in the marketing account. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket. Option C correctly identifies the need to update the S3 bucket policy to grant access specifically to the QuickSight IAM role in the marketing account, which directly addresses the requirement for cross-account access to S3 data. Additionally, creating a KMS grant for the encryption key to allow decrypt access by the QuickSight role aligns with best practices for secure, cross-account access to encrypted S3 data. This approach minimizes operational overhead by using existing roles and permissions without the need for replication or additional resource sharing mechanisms.

the question is badly formulated.. with all given options missing each a spec .. none of the answers are fully convincing

All answers are wrong: A. No KMS, not necessary replication B. No IAM D. No KMS But the most likely answer is C. "Update the S3 bucket policy in the marketing account" The question was never asked marketing s3 team bucket and all the data store in sales team S3 bucket. I think it's a typing error (marketing-> sales).

Option D