What should the solutions architect do to meet these requirements?
Create a cross-account role in the central account. Assume the role from the production account when the logs are being copied.
Create a policy on the S3 bucket with the production account ID as the principal. Allow S3 access from a delegated user.
Create a policy on the S3 bucket with access from only the CIDR range of the EC2 instances in the production account. Use the production account ID as the principal.
Create a cross-account role in the production account. Assume the role from the production account when the logs are being copied.
Explanations:
This option is valid because creating a cross-account role in the central account allows the production account to assume the role for the purpose of copying logs to the S3 bucket. It provides controlled access and ensures that the logs can be securely uploaded while allowing the central account to read the logs.
This option is not suitable because while creating a policy on the S3 bucket with the production account ID as the principal might seem like a way to grant access, it lacks the granularity and security of using roles. This setup can potentially expose the bucket to wider access than intended and does not establish a secure delegation process.
This option is not appropriate because restricting access based on the CIDR range of the EC2 instances does not provide a reliable way to manage permissions. It does not account for changes in the environment or IP addresses and can lead to access issues if the instances are moved or changed. Additionally, it does not provide a secure way to manage cross-account access.
This option is incorrect as it suggests creating a cross-account role in the production account, which does not fulfill the requirement to allow the central account to receive logs. The role needs to exist in the central account for the production account to assume it for log uploads. This setup does not facilitate the necessary access for the central account to read the logs directly.