You are a solutions architect working as a consultant where you build web applications for clients. One of your clients needs a static website hosted on AWS. The website will predominantly host content files owned by the AWS account used to create the S3 bucket that will host the website. However, some of the objects in the bucket are owned by a parent company’s AWS account.
How should you configure the S3 bucket access controls to achieve the most secure website that is accessible to the public? (Choose TWO)

Answer options:

A.Create a bucket policy that grants s3:GetObject access to the objects owned by the parent company account.
B.Create a bucket policy that grants s3:GetObject access to the objects in the bucket owned by the account used to create the S3 bucket that will host the website.
C.Create an object access control list to grant read permissions on objects owned by the account used to create the S3 bucket that will host the website.
D.Create an object access control list to grant read permissions on objects owned by the parent company account.
E.Create a bucket policy that grants s3:GetObject access to the objects owned by the parent company account and the objects owned by the account used to create the S3 bucket that will host the website.

Correct Answers: B and D
Option A is incorrect. The objects owned by the parent company account need an access control list that grants read permission to all users. This is because these objects are not controlled by the bucket policy, since they are not owned by the account used to create the bucket that will host the website.
Option B is correct. If you create a bucket policy that grants s3:GetObject access to the objects in the bucket owned by the account used to create the bucket, they will become publicly readable. 
Option C is incorrect. You use a bucket policy to control access to objects in the bucket that are owned by the account used to create the bucket. You don’t use an ACL for this access control.
Option D is correct. Since the account used to create the S3 bucket used to host the website is different from the parent company account, you need to use an ACL to control access to the objects owned by the parent company account.
Option E is incorrect. The bucket policy will control access to objects owned by the account used to create the S3 bucket that will host the website. Your bucket policy can’t control access to objects owned by the parent company account. You need to use an ACL to control access to objects owned by the parent company account.
References:
Please see the Amazon Simple Storage Service user guide titled Setting permissions for website access (https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html), the Service Authorization reference page titled Actions, resources, and condition keys for Amazon S3 (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html)