A developer is using an AWS account to build an application that stores files in...

Step-by-Step Breakdown:

Requirement Summary:

Encrypt S3 objects usingKMS keys

Cross-account read accessto another AWS account

Minimize operational overhead

Option A: Use a customer managed key + key policy granting kms:Decrypt to second account

✅Correct: Customer managed keys allow full control ofkey policy.

You can add a statement to allowcross-account accessusing the second account’s IAM principal.

Option B: Use AWS managed key + key policy granting access to second account

❌Incorrect: AWS-managed KMS keys (aws/s3)cannot be modifiedto add cross-account access in key policies.

Option C: SCP that grants s3:GetObject to second account

❌Incorrect: SCPs are used torestrict or allow permissions across AWS Organizations, not togrant S3 or KMS accessdirectly.

Option D: Create a bucket policy granting s3:GetObject to second account

✅Correct: Bucket policies can grantcross-account accessto specific IAM users or roles in the second account.

Option E: Gateway endpoint for S3 with cross-account access

❌Incorrect: Gateway endpoints only applywithin the same VPC/account. Cross-account use with endpoint policies is not the correct pattern for this use case.

Cross-account S3 access with KMS:https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html

KMS cross-account key policy:https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html

Bucket Policy for cross-account access:https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html