What should a solutions architect suggest to the company to allow access the objects in Amazon S3 through CloudFront?
Modify the S3 upload process in the Build Account to add the bucket-owner-full-control ACL to the objects at upload.
Create a new cross-account IAM role in the Distribution Account with write access to the S3 bucket. Modify the build pipeline to assume this role to upload the files to the Distribution Account.
Modify the S3 upload process in the Build Account to set the object owner to the Distribution Account.
Create a new IAM role in the Distribution Account with read access to the S3 bucket. Configure CloudFront to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Build Account.
Explanations:
Adding thebucket-owner-full-controlACL during upload gives ownership of the uploaded objects to the bucket owner (the Distribution Account), allowing CloudFront to access the objects.
Creating a cross-account IAM role with write access is unnecessary and does not resolve the object access issue, as the issue relates to object ownership and permissions.
It is not possible to directly set the object owner to another account (the Distribution Account) during upload; this requires ACL modification instead.
Configuring CloudFront to use a new IAM role is not feasible, as CloudFront uses an Origin Access Identity (OAI) to access S3 buckets rather than an IAM role.
I plot that the answer is:
Modify the S3 upload process in the Build Account to add the bucket-owner-full-control ACL to the objects at upload.