Which additional actions should the solutions architect take to meet these requirements?
Create an IAM role in the Organizations master account with permissions to use the Cost Explorer API, and establish trust between the role and the analytics account. Update the Lambda function role and add sts:AssumeRole permissions. Assume the role in the master account from the Lambda function code by using the AWS Security Token Service (AWS STS) AssumeRole API call. Create a gateway endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the S3 endpoint.
Create an IAM role in the analytics account with permissions to use the Cost Explorer API. Update the Lambda function and assign the new role. Create a gateway endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the analytics VPC by using the aws:SourceVpc condition.
Create an IAM role in the Organizations master account with permissions to use the Cost Explorer API, and establish trust between the role and the analytics account. Update the Lambda function role and add sts:AssumeRole permissions. Assume the role in the master account from the Lambda function code by using the AWS Security Token Service (AWS STS) AssumeRole API call. Create an interface endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the analytics VPC private CIDR range by using the aws:SourceIp condition.
Create an IAM role in the analytics account with permissions to use the Cost Explorer API. Update the Lambda function and assign the new role. Create an interface endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the S3 endpoint.
Explanations:
This option correctly implements a cross-account access model where the analytics account assumes a role in the master account that has permissions to use the Cost Explorer API. By adding the necessarysts:AssumeRolepermissions and using the STS AssumeRole API call, the Lambda function can access the Cost Explorer data securely. The gateway endpoint for Amazon S3 allows the analytics application to access S3 without traversing the public internet, and the S3 bucket policy restricts access to requests coming from the VPC endpoint, ensuring that only the analytics application can access the data.
This option suggests creating an IAM role in the analytics account for the Cost Explorer API, which would not allow the Lambda function in the analytics account to access cost data from the master account. The analytics account needs permissions to assume a role in the master account instead. The use of a gateway endpoint is appropriate, but the lack of cross-account access means this solution won’t work.
While this option suggests creating an IAM role in the master account for Cost Explorer API access, it incorrectly proposes an interface endpoint for S3. Amazon S3 requires a gateway endpoint for VPC access, and creating an interface endpoint is unnecessary. Additionally, the use ofaws:SourceIpfor S3 bucket policy would not restrict access to the analytics VPC effectively.
Similar to option B, this option creates an IAM role in the analytics account but fails to provide a way to access Cost Explorer data from the master account. It incorrectly suggests using an interface endpoint for S3, which is not required for S3 access from a VPC. The S3 bucket policy also does not address the cross-account access requirements.