You have maintained an AWS account A containing an S3 bucket that another AWS account B needs to upload files to. In the S3 bucket policy, s3:PutObject is allowed for the IAM user in account
B. And the IAM user in account B can use “aws s3api put-object” to upload objects to the S3 bucket successfully. However, it has been found that users in AWS account A cannot open the new uploaded objects. How should you fix this issue?

Answer options:

A.In the bucket policy of the S3 bucket, add read permission to the account A users.
B.In AWS account A, use an admin user to modify the object permissions to “full control” by using aws s3api put-bucket-acl --grant-full-control.
C.In the Access Control List of the bucket, add the read/write access to AWS account
B.D.When user in account B uploads objects, add the option of --acl "bucket-owner-full-control" to aws s3api put-object in order to give permissions to the bucket owner for the objects.

Correct Answer – D
After account B has uploaded objects to the bucket in account A, the objects are still owned by account B, and account A does not have access to it. In order to fix this, the option of --acl "bucket-owner-full-control" should be added when the object is uploaded via aws s3api put-object. Details can be found in
https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#grant-putobject-conditionally-1.
Option A is incorrect: Because it still cannot fully control the objects uploaded from other accounts.
Option B is incorrect: Because the option of --grant-full-control is used to grant permissions to other grantees. It does not help in this scenario.
Option C is incorrect: Because it does not resolve the permissions of objects which are uploaded from another account.
Option D is CORRECT: Because bucket-owner-full-control can provide full control to the bucket owner which is account A to access the objects.