Which combination of steps should the solutions architect take to meet these requirements?
(Choose three.)
Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account.
Update the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role.
Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to an anonymous user.
Update the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role.
Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
Explanations:
A bucket policy needs to grant read permissions to the Strategy account. Setting the principal to the Strategy account ensures that only users from that account can access the bucket.
Full permissions to the S3 bucket are not required for the Strategy account. Only read permissions are needed. Additionally, the decrypt permissions for the KMS key should be handled in the KMS policy, not the IAM role.
The KMS key policy must allow the strategy_reviewer role to decrypt the objects. This ensures that the Strategy account users can access the encrypted content.
Allowing anonymous users is not a secure solution. The access needs to be restricted to the Strategy account, not the general public.
Encrypt permissions are not necessary for the Strategy account role, as they are not the ones performing the encryption. Decrypt permissions are required instead.
The strategy_reviewer IAM role must be updated to grant read permissions for the S3 bucket, along with decrypt permissions for the KMS key. This ensures the role has the necessary access to both the S3 objects and the encrypted content.