Home › AWS Solutions Architect Associate › cloudcomputing › securearchitectures › An organisation needs to give a partner read-onl…
An organisation needs to give a partner read-only access to one specific S3 bucket across AWS accounts WITHOUT creating an IAM user in their own account. Which approach is correct?
AMake the bucket public so the partner can browse it
BEmail a copy of the bucket-owner's access key to the partner
CCreate an IAM role in the bucket-owner account that the partner can assume via STS, with a trust policy referencing the partner's account
DDisable IAM entirely and trust the partner
Answer & Solution
Correct answer: C. Create an IAM role in the bucket-owner account that the partner can assume via STS, with a trust policy referencing the partner's account
Cross-account assume-role via STS is the canonical pattern: define a role with the needed permissions, set a trust policy allowing the partner's principal to assume it. The other options range from credential leak to making the data public.
Related questions
Which AWS feature lets you store and retrieve secrets (database passwords, API tokens) witWhich AWS service enables an organisation to enforce a baseline of security configuration Which combination implements defense-in-depth network segmentation inside a VPC for a publA team wants short-lived credentials (15 minutes) for an external CI/CD system running OUTA workload needs to encrypt sensitive S3 objects with keys that the customer creates, rotaWhich AWS service is purpose-built to find and classify sensitive data (e.g. PII, credit-cWhich AWS service inspects CloudTrail / VPC flow logs / DNS query logs with ML to detect aAn organisation needs a managed L7 web application firewall to filter SQL injection and cr