Amazon-DEA-C01 Exam - Topic 1 Question 13 Discussion

Actual exam question for Amazon's Amazon-DEA-C01 exam

Question #: 13
Topic #: 1

A company uses Amazon S3 to store data and Amazon QuickSight to create visualizations.

The company has an S3 bucket in an AWS account named Hub-Account. The S3 bucket is encrypted by an AWS Key Management Service (AWS KMS) key. The company's QuickSight instance is in a separate account named BI-Account

The company updates the S3 bucket policy to grant access to the QuickSight service role. The company wants to enable cross-account access to allow QuickSight to interact with the S3 bucket.

Which combination of steps will meet this requirement? (Select TWO.)

AUse the existing AWS KMS key to encrypt connections from QuickSight to the S3 bucket.

BAdd the 53 bucket as a resource that the QuickSight service role can access.

CUse AWS Resource Access Manager (AWS RAM) to share the S3 bucket with the Bl-Account account.

DAdd an IAM policy to the QuickSight service role to give QuickSight access to the KMS key that encrypts the S3 bucket.

EAdd the KMS key as a resource that the QuickSight service role can access.

Show Suggested Answer

Suggested Answer: D, E

Problem Analysis:

The company needs cross-account access to allow QuickSight in BI-Account to interact with an S3 bucket in Hub-Account.

The bucket is encrypted with an AWS KMS key.

Appropriate permissions must be set for both S3 access and KMS decryption.

Key Considerations:

QuickSight requires IAM permissions to access S3 data and decrypt files using the KMS key.

Both S3 and KMS permissions need to be properly configured across accounts.

Solution Analysis:

Option A: Use Existing KMS Key for Encryption

While the existing KMS key is used for encryption, it must also grant decryption permissions to QuickSight.

Option B: Add S3 Bucket to QuickSight Role

Granting S3 bucket access to the QuickSight service role is necessary for cross-account access.

Option C: AWS RAM for Bucket Sharing

AWS RAM is not required; bucket policies and IAM roles suffice for granting cross-account access.

Option D: IAM Policy for KMS Access

QuickSight's service role in BI-Account needs explicit permissions to use the KMS key for decryption.

Option E: Add KMS Key as Resource for Role

The KMS key must explicitly list the QuickSight role as an entity that can access it.

Implementation Steps:

S3 Bucket Policy in Hub-Account: Add a policy to the S3 bucket granting the QuickSight service role access:

json

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Allow',

'Principal': { 'AWS': 'arn:aws:iam::<BI-Account-ID>:role/service-role/QuickSightRole' },

'Action': 's3:GetObject',

'Resource': 'arn:aws:s3:::<Bucket-Name>/*'

}

]

}

KMS Key Policy in Hub-Account: Add permissions for the QuickSight role:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Allow',

'Principal': { 'AWS': 'arn:aws:iam::<BI-Account-ID>:role/service-role/QuickSightRole' },

'Action': [

'kms:Decrypt',

'kms:DescribeKey'

'Resource': '*'

}

]

}

IAM Policy for QuickSight Role in BI-Account: Attach the following policy to the QuickSight service role:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Allow',

'Action': [

's3:GetObject',

'kms:Decrypt'

'Resource': [

'arn:aws:s3:::<Bucket-Name>/*',

'arn:aws:kms:<region>:<Hub-Account-ID>:key/<KMS-Key-ID>'

]

}

]

}

Setting Up Cross-Account S3 Access

AWS KMS Key Policy Examples

Amazon QuickSight Cross-Account Access

by Eleonora at Mar 22, 2025, 11:03 AM

Limited Time Offer

25%

Off

Get Premium Amazon-DEA-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Emogene

1 month ago

Just adding the bucket policy should be enough, right?

upvoted 0 times

...

Vivan

2 months ago

I think C is a bit overkill for this scenario.

upvoted 0 times

...

Elvera

2 months ago

Wait, can QuickSight even access KMS keys directly?

upvoted 0 times

...

Tamesha

2 months ago

I vaguely recall that we need to ensure QuickSight can access both the S3 bucket and the KMS key. Adding the KMS key as a resource might be necessary, but I’m not 100% sure.

upvoted 0 times

...

Mila

2 months ago

I'm not entirely sure, but I feel like we might need to give QuickSight access to the KMS key too. That seems important for encryption.

upvoted 0 times

...

Dottie

2 months ago

I remember that cross-account access is tricky, but I think adding the S3 bucket as a resource for the QuickSight role is definitely one of the steps.

upvoted 0 times

...

Gracie

3 months ago

Definitely B and D! Makes total sense.

upvoted 0 times

...

Han

3 months ago

QuickSight needs access to the S3 bucket for sure.

upvoted 0 times

...

Mona

3 months ago

This question reminds me of a practice scenario we did about IAM policies. I think using AWS RAM to share the bucket could be a valid option, but I'm not completely confident.

upvoted 0 times

...

Dortha

3 months ago

I'm not sure about the KMS key part. Do we really need to give QuickSight access to the KMS key, or can we just use the existing key to encrypt the connections?

upvoted 0 times

...

Chaya

3 months ago

I'm pretty confident I know the answer here. We need to do two things: add the S3 bucket as a resource the QuickSight service role can access, and add the KMS key as a resource the QuickSight service role can use to decrypt the bucket.

upvoted 0 times

...

Latosha

4 months ago

Okay, let me think this through. We need to allow QuickSight in the BI-Account to access the S3 bucket in the Hub-Account. So we'll need to update the bucket policy and the QuickSight service role permissions.

upvoted 0 times

...

Haydee

4 months ago

I'm a bit confused about the cross-account access requirement. Do we need to use AWS RAM to share the S3 bucket, or can we just update the bucket policy?

upvoted 0 times

...

Glendora

4 months ago

This seems straightforward. I think the key steps are to grant the QuickSight service role access to the S3 bucket and the KMS key that encrypts it.

upvoted 0 times

...

Dino

4 months ago

The AWS RAM option (C) is interesting, but I'm not sure if that's necessary here since the accounts are already separate. I'd focus on the S3 bucket policy and IAM permissions first.

upvoted 0 times

...

Audry

4 months ago

This seems straightforward enough. I'd go with options B and D to meet the requirement.

upvoted 0 times

...

Sabra

5 months ago

Okay, I think I've got this. We need to add the S3 bucket as a resource the QuickSight service role can access, and also give the QuickSight role access to the KMS key that encrypts the bucket.

upvoted 0 times

...

Kristian

5 months ago

Hmm, I'm a bit confused about the KMS key encryption part. Do we need to do anything specific with the KMS key to enable QuickSight access?

upvoted 0 times

...

Marsha

5 months ago

This looks like a straightforward cross-account access question. I'd start by reviewing the S3 bucket policy and the QuickSight service role to see what permissions are already in place.

upvoted 0 times

...

Lauran

11 months ago

Yes, and we should also add an IAM policy to the QuickSight service role to give QuickSight access to the KMS key that encrypts the S3 bucket.

upvoted 0 times

...

Dell

11 months ago

I believe we should add the KMS key as a resource that the QuickSight service role can access as well.

upvoted 0 times

...

Jaclyn

11 months ago

I agree with that. We also need to add the S3 bucket as a resource that the QuickSight service role can access.

upvoted 0 times

...

Fidelia

11 months ago

Hah, I can just imagine the conversation in the office. 'Wait, you mean we have to use AWS RAM for this? I thought we were just going to add another IAM policy!'

upvoted 0 times