What is the MOST operationally efficient solution that meets these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A large industrial company has two AWS accounts.One account is for production, and one account is for development.The company manages the production account under its corporate organization in AWS Organizations.The development account is an isolated environment that developers use for testing.The company stores all the application configuration information in an Amazon S3 bucket in the production account.All developers in the development account are members of a single IAM group.A solutions architect must ensure that the developers can update the application configuration information in real time.

What is the MOST operationally efficient solution that meets these requirements?

In the production account, modify the S3 bucket policy by adding the development account ID in the condition field. Add a permissions policy to the developers’ IAM group to allow users to put objects in the production S3 bucket.

In the production account, create a two-staged pipeline that uses AWS CodeDeploy and an S3 bucket that has versioning enabled. Create an IAM role in the production account that has the permission to put objects in the S3 bucket. Associate the role with the pipeline. Allow developers to push a new version in the S3 bucket.

Create an IAM role in the production account. Establish a trust relationship between the production account and the development account. Specify a permissions policy in the role to allow trusted users to put objects in the S3 bucket. Grant sts:AssumeRole permissions to the developers’ IAM group for the role.

Create an S3 bucket in the development account. Enable S3 bucket replication between the development S3 bucket and the production S3 bucket.

Explanations:

Modifying the S3 bucket policy to allow the development account ID to access the bucket can grant access, but it does not control the permissions effectively. This could lead to security issues, as it may unintentionally allow more permissions than intended. It does not provide a well-structured way to manage permissions securely.

Creating a two-staged pipeline using AWS CodeDeploy adds unnecessary complexity for the requirement to update configuration information in real time. Additionally, while using a pipeline may work, it is not the most operationally efficient solution given that it requires managing and maintaining the pipeline infrastructure and operations.

Creating an IAM role in the production account with a trust relationship to the development account is a secure and efficient solution. It allows developers to assume the role and gain permissions to put objects in the S3 bucket without exposing direct access. This approach maintains a clear separation of accounts while providing necessary access in a controlled manner.

Creating a separate S3 bucket in the development account and enabling replication adds unnecessary complexity and could lead to eventual data inconsistency issues. The goal is to allow developers to update configuration in real time, which would not be achieved efficiently by maintaining a replicated bucket system.

2025-10-10

1 Comment

  1. Gary
    Author

    In my experience, the answer is:
    Create an IAM role in the production account. Establish a trust relationship between the production account and the development account. Specify a permissions policy in the role to allow trusted users to put objects in the S3 bucket. Grant sts:AssumeRole permissions to the developers’ IAM group for the role.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 − 6 =