Which is the MOST efficient way to provide the Developers with access?
Create an AWS Lambda function with an IAM role attached to it that has access to both accounts’ S3 buckets. Pull the logs from the production S3 bucket to the development S3 bucket.
Create IAM users for each Developer on the production account, and add the Developers to an IAM group that provides read-only access to the S3 log bucket.
Create an Amazon EC2 bastion host with an IAM role attached to it that has access to the production S3 log bucket, and then provision access for the Developers on the host.
Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account.
Explanations:
Using AWS Lambda to move logs from the production S3 bucket to the development S3 bucket is not the most efficient way. Lambda functions have execution limits and may incur additional costs and complexity for simple log viewing.
Creating IAM users for each Developer in the production account and managing access via an IAM group is cumbersome, and doesn’t scale well as there’s no need to directly create users in the production account.
Setting up an EC2 bastion host requires maintaining an instance, which is inefficient for a use case that only requires access to S3 logs. It introduces unnecessary complexity and operational overhead.
A resource-based policy on the S3 bucket in the production account is the most efficient and scalable way to grant cross-account access. This method allows developers in the development account to directly access the production logs without the need for extra IAM users or complex infrastructure.
I sort that the answer is:
Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account.