SAA-C03 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

The correct answer is C because the company needs a secure cross-account access solution that uses temporary credentials , follows least privilege , and avoids long-term access keys . The best practice for this design is to allow an IAM role in Account A to access the Amazon S3 bucket in Account B through a resource-based bucket policy . Analysts or applications in Account A can assume the IAM role and receive temporary credentials through AWS Security Token Service (AWS STS), which satisfies the requirement to avoid permanent access keys.

This approach is secure because permissions can be scoped precisely to the required bucket and prefixes, supporting least-privilege access. It also avoids creating separate IAM users in Account B and eliminates the operational and security risks of sharing static credentials across accounts. Cross-account access through IAM roles and S3 bucket policies is the standard AWS pattern for securely granting one account access to resources in another account.

Option A is incorrect because creating IAM users and sharing access keys introduces long-term credentials, which the company explicitly wants to avoid. Option B is incorrect because making the S3 bucket public violates security requirements and does not enforce least privilege. Option D is incorrect because using a bastion host adds unnecessary infrastructure and operational overhead and is not the recommended approach for S3 access.

AWS security best practices favor role-based access with temporary credentials and resource policies for cross-account resource sharing. Therefore, configuring the S3 bucket policy in Account B to allow access from an IAM role in Account A is the most secure and appropriate solution.

To securely access AWS services like S3 and Secrets Manager from a private VPC without using public IPs, interface VPC endpoints are required. These endpoints are accessible via private IP addresses. For the application to reach these endpoints, appropriate routes must be configured in the route table.