In your AWS account A, there is an S3 bucket that contains artifacts that need to be fetched by an IAM user in another AWS account
B. The S3 bucket has the below bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:user/AccountBUserName"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::AccountABucketName/*"
]
}
]
}
However, the IAM user in account B still cannot get objects in the S3 bucket. Which one may cause the failure?

Answer options:

A.The IAM user in account B does not have IAM permission to get an object in the particular S3 bucket.
B.The Resource in bucket policy should include “arn:aws:s3:::AccountABucketName”.
C.The Action in bucket policy should add the action of "s3:GetObjectACL".
D.The Principal in bucket policy should add a cross-account IAM role assumed by the IAM user in account
B.

Answer: A
Option A is CORRECT because to provide the access, you need two things: S3 bucket policy on account A for account B IAM user to access and then in Account B, the IAM user needs to have an allow access for the S3 bucket in the IAM policy (This is missing).
Option B is incorrect because the resource “arn:aws:s3:::AccountABucketName” is unnecessary and would not provide the necessary permission.
Option C is incorrect because "s3:GetObjectACL" is not required. This case only needs "s3:GetObject".
Option D is incorrect because there is no mention of an IAM user in account B to assume a cross-account role in this particular scenario. Instead, as long as the user is given an "s3:GetObject" permission to the S3 bucket, it should be able to get objects in the bucket.
For more information on cross-account S3 bucket object access, do refer to the URL provided below
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/