AWS Certified Solutions Architect Associate SAA-C03 Practice Question
To enable a serverless code execution service in Account A to interact with object storage in Account B, which approach should be used to most securely grant the required permissions in line with best practices?
Set up a role in Account B granting full access to the object storage and define a broad trust policy that permits the assumption of this role by other identities, relying on additional service-specific policies in Account A to enforce restrictions.
Create an IAM role in Account B with the proper permissions for object storage and establish a trust relationship allowing the serverless function's role in Account A to assume this role.
Generate access keys for a user in Account B, store them as environmental variables for the serverless function in Account A, and use these keys within the function to access the object storage.
Configure the object storage in Account B to be publicly accessible and regulate access using resource-based policies that check the request origin.
The most secure way to provide the necessary permissions is by creating a role in Account B with the appropriate permissions to the object storage and setting up a trust relationship that allows the execution role of the function in Account A to assume this role when needed. This method upholds the practice of granting least privilege access. The other methods either do not provide the direct cross-account functionality required, may lead to unnecessary exposure of credentials, or do not properly adhere to the principle of least privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM role and how does it work in AWS?
Open an interactive chat with Bash
What does a trust relationship in IAM mean?
Open an interactive chat with Bash
What is the principle of least privilege in the context of AWS?