What should the security engineer do to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company provides an AWS account for each of its teams.Members of each team authenticate with AWS by using user accounts in their own team’s account.The company created a project-specific AWS account for collaboration by three or more teams.The company also created a new Amazon S3 bucket inside this new account.There is no S3 bucket policy or S3 ACL.A security engineer must implement a secure solution so that all teams can read objects and write to objects that are stored in the S3 bucket.

What should the security engineer do to meet these requirements?

In the same AWS account where the S3 bucket resides, update the bucket’s ACL to include the canonical user ID of the teams’ AWS accounts. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket

In the same AWS account where the S3 bucket resides, create an IAM role that has appropriate permissions for the bucket. Include a trust policy that specifies the teams’ AWS accounts as the principals. Teams will assume the role when they read objects and write to objects in the bucket

In the same AWS account where the S3 bucket resides, add a bucket policy to allow all the teams to read objects and write to objects in the bucket. Teams will specify the account number of the AWS account where the bucket is located when they read objects and write to objects in the bucket.

In the same AWS account where the S3 bucket resides, create an IAM user, an IAM group, and access keys for each team. Each team will share its access keys when the team reads objects and writes to objects in the bucket.

Explanations:

Using S3 bucket ACLs to grant permissions by specifying the canonical user IDs of the teams’ AWS accounts is not a scalable or manageable solution. ACLs are limited in flexibility compared to bucket policies or IAM roles, and they may lead to confusion when managing permissions across multiple accounts. Also, ACLs are not the best practice for cross-account access.

Creating an IAM role with appropriate permissions for the S3 bucket and including a trust policy that specifies the teams’ AWS accounts as principals is a secure and flexible solution. This allows members from different accounts to assume the role, enabling them to read and write to the bucket without needing to manage multiple IAM users or access keys. It follows AWS best practices for cross-account access.

Adding a bucket policy to allow all teams to read and write objects is a feasible option, but it may expose the bucket to more permissions than necessary if not configured properly. Furthermore, this approach lacks the fine-grained control and security benefits that IAM roles provide, especially for managing access across multiple accounts.

Creating individual IAM users and access keys for each team is not a recommended practice due to security risks. Sharing access keys can lead to unauthorized access if not managed correctly. Additionally, this approach is not scalable and makes managing permissions cumbersome as teams change or expand. IAM roles would provide a more secure and manageable solution.

2025-10-07

1 Comment

  1. Dylan
    Author

    I figure that the answer is:
    In the same AWS account where the S3 bucket resides, create an IAM role that has appropriate permissions for the bucket. Include a trust policy that specifies the teams’ AWS accounts as the principals. Teams will assume the role when they read objects and write to objects in the bucket

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × one =