A company is running a web application on Amazon EC2 instances in a production AWS account. The company requires all logs generated from the web application to be copied to a central AWS account for analysis and archiving. The company’s AWS accounts are currently managed independently. Logging agents are configured on the EC2 instances to upload the tog files to an Amazon S3 bucket in the central AWS account.
A solutions architect needs to provide access for a solution that will allow the production account to store log files in the central account. The central account also needs to have read access to the tog files.
What should the solutions architect do to meet these requirements?
A . Create a cross-account role in the central account. Assume the role from the production account when the logs are being copied.
B. Create a policy on the S3 bucket with the production account ID as the principal. Allow S3 access from a delegated user.
C. Create a policy on the S3 bucket with access from only the CIDR range of the EC2 instances in the production account. Use the production account ID as the principal.
D. Create a cross-account role in the production account. Assume the role from the production account when the logs are being copied.
Answer: A
Explanation:
Cross-account roles are used to grant access to resources in one AWS account, from another AWS account. In this case, a cross-account role should be created in the central account, which will grant access to the S3 bucket from the production account. The production account will then assume this role when the logs are being copied to the S3 bucket, allowing the log files to be stored in the central account.
For more information, please refer to the AWS documentation on Cross-Account Access and IAM Roles in AWS Organizations.
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Latest SAP-C02 Dumps Valid Version with 318 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund