Which actions should the developer take to provide the application with access to the stream?
(Choose two.)
Update the instance profile role in Account A with stream read permissions.
Create an IAM role with stream read permissions in Account B.
Add a trust policy to the instance profile role and IAM role in Account B to allow the instance profile role to assume the IAM role.
Add a trust policy to the instance profile role and IAM role in Account B to allow reads from the stream.
Add a resource-based policy in Account B to allow read access from the instance profile role.
Explanations:
Updating the instance profile role in Account A with stream read permissions alone will not allow access to the Kinesis stream in Account B. Permissions need to be granted in Account B to the role in Account A.
Creating an IAM role in Account B with stream read permissions is necessary. This role allows Account A’s instances to access the stream.
A trust policy is needed in Account B to allow the instance profile role in Account A to assume the IAM role created in Account B. This establishes the cross-account trust relationship.
Adding a trust policy to the instance profile role and IAM role in Account B to allow reads from the stream is incorrect because trust policies control role assumption, not data access. Data access is managed via permissions, not trust.
Resource-based policies (like those in S3) are not used for Kinesis streams. Kinesis access is controlled through IAM roles and policies, not resource-based policies on the stream itself.