Which combination of steps should the DevOps engineer take to meet these requirements?
(Choose three.)
Update the EFS file system policy to provide Account B with access to mount and write to the EFS file system in Account A.
Create SCPs to set permission guardrails with fine-grained control for Amazon EFS.
Create a new EFS file system in Account B. Use AWS Database Migration Service (AWS DMS) to keep data from Account A and Account B synchronized.
Update the Lambda execution roles with permission to access the VPC and the EFS file system.
Create a VPC peering connection to connect Account A to Account B.
Configure the Lambda functions in Account B to assume an existing IAM role in Account A.
Explanations:
Updating the EFS file system policy to allow access from Account B is necessary to let Lambda functions in Account B mount and write to the EFS file system in Account A.
Service control policies (SCPs) only restrict or grant access on an account level and cannot grant cross-account permissions needed for EFS access.
Creating a new EFS file system in Account B and using AWS DMS is unnecessary and overly complex for shared storage; cross-account access to a single EFS instance is simpler and supported.
Updating the Lambda execution roles with necessary VPC and EFS access permissions ensures the Lambda function can connect to and use the EFS in the specified VPC.
Creating a VPC peering connection is required to allow network traffic between Account A and Account B, enabling Lambda functions in Account B to connect to EFS in Account A.
Configuring Lambda functions in Account B to assume a role in Account A is unnecessary, as updating permissions on the EFS and Lambda roles suffices.