AWS Certified SysOps Administrator Practice Exam

How should permissions be configured for a user needing access to S3 buckets across multiple AWS accounts?

• A. Create a user in the HR account
• B. Implement a cross-account IAM policy
• C. Use AWS Organizations for permissions
• D. Share the AWS account password

The correct answer is: Implement a cross-account IAM policy

Implementing a cross-account IAM policy is the most effective way to configure permissions for a user needing access to S3 buckets across multiple AWS accounts. Cross-account IAM policies allow you to define permissions that explicitly grant a user or role in one AWS account access to resources in another AWS account. By using cross-account policies, you can specify the principal (the user or role from the other account), the resources they can access (such as specific S3 buckets), and the types of actions they can perform (like read, write, or delete). This method is secure and follows the least privilege principle, allowing users to have only the access necessary to perform their tasks without granting unnecessary permissions. Other options may not provide the required access or could introduce security risks. Creating a user in the HR account would limit that user's access to the resources only within that specific account and wouldn't facilitate access to other accounts' S3 buckets. Utilizing AWS Organizations for permissions would help in managing permissions across accounts within an organization but often focuses more on the structure and management of accounts rather than directly providing resource access. Sharing the AWS account password is highly discouraged; it compromises security by exposing sensitive credentials and can lead to unauthorized access.