You have maintained an AWS account A containing an S3 bucket that another AWS account B needs to upload files to.
In the S3 bucket policy, s3:PutObject is allowed for the IAM user in account B.
And the IAM user in account B can use “aws s3api put-object” to upload objects to the S3 bucket successfully.
However, it has been found that users in AWS account A cannot open the new uploaded objects.
How should you fix this issue?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
After account B has uploaded objects to the bucket in account A, the objects are still owned by account B, and account A does not have access to it.
In order to fix this, the option of --acl "bucket-owner-full-control" should be added when the object is uploaded via aws s3api put-object.
Details can be found in.
https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#grant-putobject-conditionally-1.Option A is incorrect: Because it still cannot fully control the objects uploaded from other accounts.
Option B is incorrect: Because the option of --grant-full-control is used to grant permissions to other grantees.
It does not help in this scenario.
Option C is incorrect: Because it does not resolve the permissions of objects which are uploaded from another account.
Option D is CORRECT: Because bucket-owner-full-control can provide full control to the bucket owner which is account A to access the objects.
The issue described in this scenario is that users in AWS account A cannot open the new uploaded objects in an S3 bucket maintained by account A, even though the IAM user in account B has successfully uploaded the objects with the s3:PutObject permission allowed in the bucket policy.
To fix this issue, the solution should allow the users in account A to access the newly uploaded objects in the S3 bucket.
Option A suggests adding read permission to the bucket policy for account A users. This solution would work, as it would grant read access to the S3 bucket for account A users. However, it is not the best solution because it would grant read access to all objects in the bucket, including existing objects. This may not be desirable in some situations.
Option B suggests using an admin user in account A to modify the object permissions to "full control" using the aws s3api put-bucket-acl --grant-full-control command. This solution would work, as it would grant full control over the object to the owner of the bucket, which is account A. However, this solution may not be practical if there are many objects in the bucket.
Option C suggests adding read/write access to AWS account A in the Access Control List (ACL) of the bucket. This solution would work, as it would grant read/write access to the bucket for account A. However, it is not the best solution because it would grant access to all objects in the bucket, including existing objects. This may not be desirable in some situations.
Option D suggests adding the option of --acl "bucket-owner-full-control" to the aws s3api put-object command when the IAM user in account B uploads objects. This solution would work, as it would grant full control over the object to the owner of the bucket, which is account A. This solution is the best option because it only grants full control to the newly uploaded objects and not to all existing objects in the bucket.
Therefore, the best solution to fix this issue is to use option D and add the --acl "bucket-owner-full-control" option to the aws s3api put-object command when the IAM user in account B uploads objects to the S3 bucket maintained by account A.