You need to grant permission to a vendor to access your AWS account. They need to read some files in a private S3 bucket in your AWS account. The vendor has its own AWS account. What is the best way to grant the permissions?

Answer options:

A.Create an IAM User with API Access Keys. Grant the User permissions to access the bucket. Give the vendor the AWS Access Key ID and AWS Secret Access Key for the User.
B.Create an EC2 Instance Profile on your account. Grant the associated IAM role full access to the bucket. Start an EC2 instance with this Profile and give SSH access to the instance to the vendor.
C.In your AWS account, create a cross-account IAM Role with permission to access the bucket, and grant permission to use the Role to the vendor AWS account.
D.Generate a signed S3 PUT URL and a signed S3 PUT URL, both with wildcard values and 2 year durations. Pass the URLs to the vendor.

Answer C
You can use AWS Identity and Access Management (IAM) roles and AWS Security Token Service (STS) to set up cross-account access between AWS accounts.
For more information on Cross-Account Access, please visit the below URL:
https://aws.amazon.com/blogs/security/tag/cross-account-access/