SAP-C02 第 137 题
题目
A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company’s marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects. A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Access Denied error. The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need. Which combination of steps should the solutions architect take to meet these requirements? (Choose three.)
中文翻译:
一家数字营销公司拥有多个属于不同团队的 AWS 账户。创意团队在其 AWS 账户中使用 Amazon S3 存储桶来安全地存储用作公司营销活动内容的图像和媒体文件。创意团队希望与策略团队共享 S3 存储桶,以便策略团队可以查看对象。解决方案架构师在策略账户中创建了一个名为strategy_reviewer 的 IAM 角色。解决方案架构师还在 Creative 账户中设置了自定义 AWS Key Management Service (AWS KMS) 密钥,并将该密钥与 S3 存储桶相关联。但是,当策略账户的用户承担 IAM 角色并尝试访问 S3 存储桶中的对象时,他们会收到“访问被拒绝”错误。解决方案架构师必须确保策略帐户中的用户可以访问 S3 存储桶。该解决方案必须仅向这些用户提供他们所需的最低权限。解决方案架构师应该采取哪些步骤组合来满足这些要求? (选择三项。)
选项
A. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to the account ID of the Strategy account.
中文翻译:
创建包含 S3 存储桶的读取权限的存储桶策略。设置桶策略的principal为策略账户的账户ID。
B. Update the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
中文翻译:
更新strategy_reviewer IAM 角色以授予对S3 存储桶的完全权限并授予对自定义KMS 密钥的解密权限。
C. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role.
中文翻译:
更新 Creative 账户中的自定义 KMS 密钥策略,以向 Strategy_reviewer IAM 角色授予解密权限。
D. Create a bucket policy that includes read permissions for the S3 bucket. Set the principal of the bucket policy to an anonymous user.
中文翻译:
创建包含 S3 存储桶的读取权限的存储桶策略。设置桶策略的主体为匿名用户。
E. Update the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role.
中文翻译:
更新 Creative 账户中的自定义 KMS 密钥策略,以向 Strategy_reviewer IAM 角色授予加密权限。
F. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
中文翻译:
更新 Strategy_reviewer IAM 角色以授予 S3 存储桶的读取权限并授予自定义 KMS 密钥的解密权限。
答案
ACF
解析
正确答案:ACF 解析: 本题应选择 ACF。 正确选项: A. 创建包含 S3 存储桶的读取权限的存储桶策略。设置桶策略的principal为策略账户的账户ID。 C. 更新 Creative 账户中的自定义 KMS 密钥策略,以向 Strategy_reviewer IAM 角色授予解密权限。 F. 更新 Strategy_reviewer IAM 角色以授予 S3 存储桶的读取权限并授予自定义 KMS 密钥的解密权限。 选择理由:...