Free Preparation Discussions
MENU
Amazon-DEA-C01 Exam - Topic 1 Question 13 Discussion
Topic #: 1
A company uses Amazon S3 to store data and Amazon QuickSight to create visualizations.
The company has an S3 bucket in an AWS account named Hub-Account. The S3 bucket is encrypted by an AWS Key Management Service (AWS KMS) key. The company's QuickSight instance is in a separate account named BI-Account
The company updates the S3 bucket policy to grant access to the QuickSight service role. The company wants to enable cross-account access to allow QuickSight to interact with the S3 bucket.
Which combination of steps will meet this requirement? (Select TWO.)
Problem Analysis:
The company needs cross-account access to allow QuickSight in BI-Account to interact with an S3 bucket in Hub-Account.
The bucket is encrypted with an AWS KMS key.
Appropriate permissions must be set for both S3 access and KMS decryption.
Key Considerations:
QuickSight requires IAM permissions to access S3 data and decrypt files using the KMS key.
Both S3 and KMS permissions need to be properly configured across accounts.
Solution Analysis:
Option A: Use Existing KMS Key for Encryption
While the existing KMS key is used for encryption, it must also grant decryption permissions to QuickSight.
Option B: Add S3 Bucket to QuickSight Role
Granting S3 bucket access to the QuickSight service role is necessary for cross-account access.
Option C: AWS RAM for Bucket Sharing
AWS RAM is not required; bucket policies and IAM roles suffice for granting cross-account access.
Option D: IAM Policy for KMS Access
QuickSight's service role in BI-Account needs explicit permissions to use the KMS key for decryption.
Option E: Add KMS Key as Resource for Role
The KMS key must explicitly list the QuickSight role as an entity that can access it.
Implementation Steps:
S3 Bucket Policy in Hub-Account: Add a policy to the S3 bucket granting the QuickSight service role access:
json
{
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': { 'AWS': 'arn:aws:iam::<BI-Account-ID>:role/service-role/QuickSightRole' },
'Action': 's3:GetObject',
'Resource': 'arn:aws:s3:::<Bucket-Name>/*'
}
]
}
KMS Key Policy in Hub-Account: Add permissions for the QuickSight role:
{
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': { 'AWS': 'arn:aws:iam::<BI-Account-ID>:role/service-role/QuickSightRole' },
'Action': [
'kms:Decrypt',
'kms:DescribeKey'
],
'Resource': '*'
}
]
}
IAM Policy for QuickSight Role in BI-Account: Attach the following policy to the QuickSight service role:
{
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Action': [
's3:GetObject',
'kms:Decrypt'
],
'Resource': [
'arn:aws:s3:::<Bucket-Name>/*',
'arn:aws:kms:<region>:<Hub-Account-ID>:key/<KMS-Key-ID>'
]
}
]
}
Emogene
4 months agoVivan
5 months agoElvera
5 months agoTamesha
5 months agoMila
5 months agoDottie
5 months agoGracie
6 months agoHan
6 months agoMona
6 months agoDortha
6 months agoChaya
6 months agoLatosha
7 months agoHaydee
7 months agoGlendora
7 months agoDino
7 months agoAudry
7 months agoSabra
8 months agoKristian
8 months agoMarsha
8 months agoLauran
1 year agoDell
1 year agoJaclyn
1 year agoFidelia
1 year agoAmalia
1 year agoNadine
1 year agoAshton
1 year agoElvis
1 year agoLauran
1 year agoMa
1 year agoBong
1 year agoTarra
1 year agoAja
1 year agoSharen
1 year agoMable
1 year agoMi
1 year agoJina
1 year agoCatarina
1 year ago