Your company has been using AWS for the past 2 years. They have separate S3 buckets for logging the various AWS services that have been used. They have hired an external vendor for analyzing their log files. They have their own AWS account.
What is the best way to ensure that the partner account can access the log files in the company account for analysis? Choose 2 answers from the options given below
A . Create an IAM user in the company account
B . Create an IAM Role in the company account
C . Ensure the IAM user has access for read-only to the S3 buckets
D . Ensure the IAM Role has access for read-only to the S3 buckets
Answer: B,D
Explanation:
The AWS Documentation mentions the following
To share log files between multiple AWS accounts, you must perform the following general steps. These steps are explained in detail later in this section.
Create an IAM role for each account that you want to share log files with.
For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.
Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files.
Options A and C are invalid because creating an IAM user and then sharing the IAM user credentials with the vendor is a direct ‘NO’ practise from a security perspective.
For more information on sharing cloudtrail logs files, please visit the following URL https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharine-loes.htmll The correct answers are: Create an IAM Role in the company account Ensure the IAM Role has access for read-only to the S3 buckets Submit your Feedback/Queries to our Experts
Leave a Reply