Granting Vendor Access to Private S3 Bucket | Best Permissions for AWS Account | Exam DOP-C01

Granting Vendor Access to Private S3 Bucket

Prev Question Next Question

Question

You need to grant permission to a vendor to access your AWS account.

They need to read some files in a private S3 bucket in your AWS account.

The vendor has its own AWS account.

What is the best way to grant the permissions?

Answers

A. Create an IAM User with API Access Keys. Grant the User permissions to access the bucket. Give the vendor the AWS Access Key ID and AWS Secret Access Key for the User.

B. Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor.

C. In your AWS account, create a cross-account IAM Role with permission to access the bucket, and grant permission to use the Role to the vendor AWS account.

D. Generate a signed S3 PUT URL and a signed S3 PUT URL, both with wildcard values and 2 year durations. Pass the URLs to the vendor.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer C.

You can use AWS Identity and Access Management (IAM) roles and AWS Security Token Service (STS) to set up cross-account access between AWS accounts.

For more information on Cross-Account Access, please visit the below URL:

https://aws.amazon.com/blogs/security/tag/cross-account-access/

The best way to grant access to a vendor to read files in a private S3 bucket in your AWS account is to create a cross-account IAM Role with permission to access the bucket, and grant permission to use the Role to the vendor's AWS account. Therefore, option C is the correct answer.

Explanation for each option:

A. Create an IAM User with API Access Keys. Grant the User permissions to access the bucket. Give the vendor the AWS Access Key ID and AWS Secret Access Key for the User. This option is not recommended because it involves sharing the Access Key ID and Secret Access Key of an IAM user with the vendor, which can compromise the security of your AWS account. This method should only be used for short-term access by trusted individuals or processes.

B. Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor. This option is not recommended because it involves giving the vendor SSH access to an EC2 instance in your account, which can expose your account to potential security risks. In addition, this method can be costly because it requires starting an EC2 instance solely for the purpose of granting access.

C. In your AWS account, create a cross-account IAM Role with permission to access the bucket, and grant permission to use the Role to the vendor AWS account. This option is the best way to grant access to the vendor because it involves creating an IAM role with the necessary permissions to access the S3 bucket and then allowing the vendor's AWS account to assume that role. This method does not require sharing any sensitive information and is a secure and scalable way to grant cross-account access.

D. Generate a signed S3 PUT URL and a signed S3 PUT URL, both with wildcard values and 2-year durations. Pass the URLs to the vendor. This option is not recommended because it involves creating signed URLs that grant time-limited access to specific objects in the S3 bucket. This method can be complex and error-prone, and it can also be difficult to manage and revoke access when necessary. In addition, this method is not suitable for granting long-term access to the bucket.

Prev Question Next Question