Free Preparation Discussions
MENU
Amazon Exam Amazon-DEA-C01 Topic 1 Question 13 Discussion
Topic #: 1
A company uses Amazon S3 to store data and Amazon QuickSight to create visualizations.
The company has an S3 bucket in an AWS account named Hub-Account. The S3 bucket is encrypted by an AWS Key Management Service (AWS KMS) key. The company's QuickSight instance is in a separate account named BI-Account
The company updates the S3 bucket policy to grant access to the QuickSight service role. The company wants to enable cross-account access to allow QuickSight to interact with the S3 bucket.
Which combination of steps will meet this requirement? (Select TWO.)
Problem Analysis:
The company needs cross-account access to allow QuickSight in BI-Account to interact with an S3 bucket in Hub-Account.
The bucket is encrypted with an AWS KMS key.
Appropriate permissions must be set for both S3 access and KMS decryption.
Key Considerations:
QuickSight requires IAM permissions to access S3 data and decrypt files using the KMS key.
Both S3 and KMS permissions need to be properly configured across accounts.
Solution Analysis:
Option A: Use Existing KMS Key for Encryption
While the existing KMS key is used for encryption, it must also grant decryption permissions to QuickSight.
Option B: Add S3 Bucket to QuickSight Role
Granting S3 bucket access to the QuickSight service role is necessary for cross-account access.
Option C: AWS RAM for Bucket Sharing
AWS RAM is not required; bucket policies and IAM roles suffice for granting cross-account access.
Option D: IAM Policy for KMS Access
QuickSight's service role in BI-Account needs explicit permissions to use the KMS key for decryption.
Option E: Add KMS Key as Resource for Role
The KMS key must explicitly list the QuickSight role as an entity that can access it.
Implementation Steps:
S3 Bucket Policy in Hub-Account: Add a policy to the S3 bucket granting the QuickSight service role access:
json
{
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': { 'AWS': 'arn:aws:iam::<BI-Account-ID>:role/service-role/QuickSightRole' },
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::<Bucket-Name>/*'
}
]
}
KMS Key Policy in Hub-Account: Add permissions for the QuickSight role:
{
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': { 'AWS': 'arn:aws:iam::<BI-Account-ID>:role/service-role/QuickSightRole' },
'Action': [
'kms:Decrypt',
'kms:DescribeKey'
],
'Resource': '*'
}
]
}
IAM Policy for QuickSight Role in BI-Account: Attach the following policy to the QuickSight service role:
{
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Action': [
's3:GetObject',
'kms:Decrypt'
],
'Resource': [
'arn:aws:s3:::<Bucket-Name>/*',
'arn:aws:kms:<region>:<Hub-Account-ID>:key/<KMS-Key-ID>'
]
}
]
}
Lauran
14 days agoDell
17 days agoJaclyn
18 days agoFidelia
20 days agoLauran
26 days agoMa
1 months agoBong
1 months agoTarra
13 days agoAja
16 days agoSharen
22 days agoMable
1 months agoMi
18 days agoJina
19 days agoCatarina
22 days ago