In a large company, you work as an AWS administrator.
For a Windows SQL server instance, there is already a daily task to regularly transfer the database backup files to an S3 bucket (DB_Backup_1) in AWS account 111111111111
One data scientist asks you if it is possible to copy the latest backup file to another S3 bucket (DB_Backup_2) in his AWS account 222222222222
You plan to use AWS S3 CLI to do this.
Which combinations of methods can accomplish this mission? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - A, C.
Two items are required to enable the copy from an S3 bucket in the source account to another S3 bucket in the target account.
1, In the source AWS account, there is a bucket policy to allow the target account to ListBucket and GetObject.
2, In the target AWS account, there is an IAM policy for the IAM user (or group) to allow the user to copy the file from the source bucket (in source AWS account) to the target bucket (in target AWS account).
Option A is CORRECT: One example of this bucket policy is as below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {"AWS": "222222222222"},
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": [
"arn:aws:s3:::sourcebucket/*",
"arn:aws:s3:::sourcebucket"
]
}
]
}
Some more details can be found in https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/.
Option B is incorrect: Because it should be a bucket policy rather than an ACL policy.
Besides, s3:GetObject is needed instead of s3:PutObject.
Option C is CORRECT: Because this allows the data scientist user to copy files (GetObject ) from the source bucket and put files (PutObject) in the target bucket.
Option D is incorrect: Because there is no need in the target account to put a bucket policy.
Option E is incorrect: Because in the target account, no Access Control List (ACL) policy is required.
Instead, an IAM policy should exist to allow the file copy.
To copy the latest backup file from the DB_Backup_1 bucket in account 111111111111 to the DB_Backup_2 bucket in account 222222222222, we need to ensure that the destination account has the necessary permissions to access and copy the objects.
Option A: In account 111111111111, attach a bucket policy to DB_Backup_1 that allows the destination account 222222222222 to do the actions of "s3:ListBucket" and "s3:GetObject". This option will allow the destination account to list the contents of the DB_Backup_1 bucket and retrieve the latest backup file. However, it does not provide permissions to copy the file to another bucket. Therefore, this option alone cannot accomplish the mission.
Option B: In account 111111111111, attach an Access Control List (ACL) policy to DB_Backup_1 that allows the destination account 222222222222 to do the actions of "s3:ListBucket" and "s3:PutObject". This option will allow the destination account to list the contents of the DB_Backup_1 bucket, retrieve the latest backup file, and copy it to the DB_Backup_2 bucket. Therefore, this option, in combination with option C or D, can accomplish the mission.
Option C: In account 222222222222, attach an IAM policy to the IAM user or group that allows the data scientist user to copy objects from source bucket DB_Backup_1 to bucket DB_Backup_2. This option will grant the IAM user or group in the destination account permissions to copy objects from the source bucket DB_Backup_1 to the destination bucket DB_Backup_2. Therefore, this option, in combination with option B or D, can accomplish the mission.
Option D: In account 222222222222, attach a bucket policy to DB_Backup_2 that allows the destination account 222222222222 to do the actions of "s3:ListBucket" and "s3:PutObject". This option will allow the destination account to list the contents of the DB_Backup_2 bucket and copy the latest backup file to it. Therefore, this option, in combination with option B or C, can accomplish the mission.
Option E: In account 222222222222, attach an Access Control List (ACL) policy to DB_Backup_2 that allows the source account 111111111111 to do the actions of "s3:ListBucket", "s3:GetObject" and "s3:ListObject". This option grants permissions to the source account to list the contents of the destination bucket and retrieve the latest backup file. However, it does not provide permissions to copy the file to another bucket. Therefore, this option alone cannot accomplish the mission.
Therefore, the correct combinations of methods that can accomplish this mission are B and C, or B and D.