Granting Access to Company Users
Question
A company has external vendors that must deliver files to the company.
These vendors have cross-account permission to upload objects to one of the company's S3 buckets. Which step is required by the vendor to allow company users to access the files?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: B.
Options A is incorrect because bucket ACLs are used to give grants to bucket owners and not the IAM role.
Option B is CORRECT because adding a grant to the S3 bucket's ACL will give full permission to the bucket owner.
Option C is incorrect because encryption is not part of the requirement.
Option D is incorrect because bucket ACLs are used to give grants to bucket owners and not the bucket policy.
Option E is incorrect as it does not grant permission to the bucket owner.
This scenario is given in the AWS Documentation:
A bucket owner can enable other AWS accounts to upload objects.
These objects are owned by the accounts that created them.
The bucket owner does not own objects that the bucket owner did not create.
Therefore, for the bucket owner to grant access to these objects, the object owner must first grant permission to the bucket owner to use an object ACL.
The bucket owner can then delegate those permissions via a bucket policy.
In this example, the bucket owner delegates permission to users in its own account.
For more information on this scenario, please see the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html
The correct answer to this question is option D, "Add a bucket policy to the bucket that grants the bucket owner full permissions to the object."
Explanation:
When external vendors need to upload files to an S3 bucket owned by a company, it is a best practice to use cross-account permissions. This means that the vendors should have an IAM role that allows them to upload files to the company's S3 bucket.
However, just allowing the vendors to upload files is not sufficient. The files must also be accessible to company users who need to work with them. To make the files accessible, the company must configure the S3 bucket policy to grant the necessary permissions.
Option A is incorrect because attaching an IAM role to the bucket that grants the bucket owner full permissions to the object is not necessary. The bucket owner already has full permissions to the objects in the bucket.
Option B is incorrect because adding a grant to the object's ACL giving full permissions to the bucket owner does not address the issue of making the files accessible to company users.
Option C is incorrect because encrypting the object with a KMS key controlled by the company is a good security practice, but it does not address the issue of making the files accessible to company users.
Option E is incorrect because uploading the file to the company's S3 bucket is what the vendor is already doing. The question is asking what the vendor needs to do to allow company users to access the files.
In summary, the correct answer is option D because adding a bucket policy to the S3 bucket is the most appropriate way to grant permissions to the company users who need to access the files uploaded by the vendor.