A. Create a new IAM role in the Development account with read access to the S3 bucket. Configure S3 to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Development Account.
B. Create a new cross-account IAM role in the Production account with write access to the S3 bucket. Modify the build pipeline to assume this role to upload the files to the Production Account.
C. Modify the S3 upload process in the Development account to set the object owner to the Production Account.
D. Modify the S3 upload process in the Development account to add the bucket-owner-full-control ACL to the objects at upload.
Solution
Explanation
To be able to access the bucket directly and upload objects, a new IAM role can be created in the Production account with the necessary permissions to access the bucket. The role can then be assumed by the build pipeline using cross-account access.
A. Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to an IAM group. Change the group membership when developers change projects. Update the policy document when the set of resources changes.
B. Create a policy document for each project with specific project tags and allow full control of the resources with a matching tag. Attach the project-specific policy document to the IAM role for that project. Change the role assigned to the developer IAM user when they change projects. Assign a specific project tag to new resources when they are created.
C. Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to the developers IAM user when they change projects. Update the policy document when the set of resources changes.
D. Create an IAM role for each project that requires access to AWS resources. Attach an inline policy document to the role that specifies the IAM users that are allowed to assume the role, with full control of the resources that belong to the project. Update the policy document when the set of resources changes, or developers change projects.
Solution
Explanation
The correct answer follows the simple principle of using groups to assign permissions to users. A policy document specifying full control to resources for Developers in that group can be created. This represents the most administratively simple approach as group membership and policy updates are centralized to each group/policy document. Create a policy document for each project with specific project tags and allow full control of the resources with a matching tag. Attach the project-specific policy document to the IAM role for that project. Change the role assigned to the developer’s IAM user when they change projects. Assign a specific project tag to new resources when they are created” is incorrect. This is not as simple as using group membership to control access and requires developers to assume a role rather than interacting directly. Create an IAM role for each project that requires access to AWS resources. Attach an inline policy document to the role that specifies the IAM users that are allowed to assume the role, with full control of the resources that belong to the project. Update the policy document when the set of resources changes, or developers change projects” is incorrect. This solution requires IAM users to assume a role rather than interacting directly. It also requires that the role they assume changes each time they move between projects which would require new instructions to be provided to the users. It’s simple just to change group membership and allow them direct access to resources. Create a customer managed policy document for each project that requires access to AWS resources. Specify full control of the resources that belong to the project. Attach the project-specific policy document to the developer’s IAM user when they change projects. Update the policy document when the set of resources changes” is incorrect. Inline policies should be avoided as they must be administered on each IAM user account. Attaching a policy to a group and moving users between groups is much simpler.
A. Configure the application to send Set-Cookie headers to the viewer and control access to the files using signed cookies.
B. Use an Origin Access Identity (OAI) to control access to the S3 bucket to users of the CloudFront distribution only.
C. Configure a behavior in CloudFront that forwards requests for the files to the S3 bucket based on a path pattern.
D. Configure the application to generate a signed URL for authenticated users that provides time-limited access to the files.
Solution
Explanation
CloudFront signed cookies allow you to control who can access your content when you don’t want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers’ area of a website. When using signed cookies the application sends three Set-Cookie headers to the viewer and the viewer stores the name-value pairs and adds them to the requests using a Cookie header. Access is then controlled in CloudFront based on the cookies.