Which solution will meet these requirements with the LEAST operational overhead?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company is running applications on AWS in a multi-account environment.The company’s sales team and marketing team use separate AWS accounts in AWS Organizations.The sales team stores petabytes of data in an Amazon S3 bucket.The marketing team uses Amazon QuickSight for data visualizations.The marketing team needs access to data that the sates team stores in the S3 bucket.The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key.The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account.The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts.

Which solution will meet these requirements with the LEAST operational overhead?

Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales account to copy the objects to the new S3 bucket in the marketing account. Update the QuickSight permissions in the marketing account to grant access to the new S3 bucket.

Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS Resource Access Manager (AWS RAM) to share the KMS key from the sates account with the marketing account. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.

Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.

Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight rote, to create a trust relationship with the new IAM role in the sales account.

Explanations:

Creating a new S3 bucket and configuring replication adds operational overhead due to replication configuration and the need for additional storage, making this approach less efficient and more costly.

Service control policies (SCPs) are not meant for granting direct resource access but for limiting permissions. Also, AWS RAM is not typically used for sharing KMS keys across accounts in this context, making this option invalid.

The option suggests updating the bucket policy in the “marketing account” which is a mistake; the S3 bucket is in the sales account. Additionally, a direct KMS grant could be complex to manage across accounts with multiple steps involved, increasing operational overhead.

Creating an IAM role in the sales account that grants access to the S3 bucket and allowing the marketing account to assume this role provides a straightforward cross-account access solution. This method minimizes operational overhead by directly granting secure access without unnecessary replication or complex setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 1 =