Which solution should the Solutions Architect use to meet the security requirements?
In the build account, create a new IAM role, which can be assumed by Amazon EC2 only. Attach the role to the EC2 instance running the continuous integration process. Create an IAM policy to allow s3: PutObject calls on the S3 bucket in the web account. In the web account, create an S3 bucket policy attached to the S3 bucket that allows the build account to use s3:PutObject calls.
In the build account, create a new IAM role, which can be assumed by Amazon EC2 only. Attach the role to the EC2 instance running the continuous integration process. Create an IAM policy to allow s3: PutObject calls on the S3 bucket in the web account. In the web account, create an S3 bucket policy attached to the S3 bucket that allows the newly created IAM role to use s3:PutObject calls.
In the build account, create a new IAM user. Store the access key and secret access key in AWS Secrets Manager. Modify the continuous integration process to perform a lookup of the IAM user credentials from Secrets Manager. Create an IAM policy to allow s3: PutObject calls on the S3 bucket in the web account, and attack it to the user. In the web account, create an S3 bucket policy attached to the S3 bucket that allows the newly created IAM user to use s3:PutObject calls.
In the build account, modify the continuous integration process to perform a lookup of the IAM user credentials from AWS Secrets Manager. In the web account, create a new IAM user. Store the access key and secret access key in Secrets Manager. Attach the PowerUserAccess IAM policy to the IAM user.
Explanations:
This option suggests creating an IAM role that can be assumed by EC2 instances in the build account and allowing it to put objects in the S3 bucket of the web account. However, it does not explicitly require the IAM role to be assumed by the EC2 instance. Additionally, the S3 bucket policy needs to reference the IAM role, not just allow the account.
This option correctly creates an IAM role in the build account that can be assumed by EC2 instances. It allows the role to have minimal permissions to performs3:PutObjecton the S3 bucket in the web account. The S3 bucket policy in the web account is properly configured to allow this specific role, enhancing security and ensuring that long-lived credentials are not used.
This option creates an IAM user with long-lived credentials stored in AWS Secrets Manager, which goes against the requirement of avoiding long-lived credentials. While it does provide a way to access the S3 bucket, the use of IAM users with access keys is not minimal and does not follow best practices for security.
This option suggests creating a new IAM user in the web account with the PowerUserAccess policy, which provides more permissions than necessary. It also involves storing long-lived credentials in Secrets Manager, violating the requirement of not using long-lived credentials. This option is not secure and does not follow the principle of least privilege.
I design that the answer is:
In the build account, create a new IAM role, which can be assumed by Amazon EC2 only. Attach the role to the EC2 instance running the continuous integration process. Create an IAM policy to allow s3: PutObject calls on the S3 bucket in the web account. In the web account, create an S3 bucket policy attached to the S3 bucket that allows the newly created IAM role to use s3:PutObject calls.