Ends in
00
hrs
00
mins
00
secs
SHOP NOW

⏳48 Hour Extension Anniversary Sale - Get 25% OFF ALL Reviewers plus eBooks as LOW as 2.99 USD only!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Review Mode Set 3 Question 55

  • Review Mode Set 3 Question 55

     Nikee-TutorialsDojo updated 3 weeks, 6 days ago 2 Members · 2 Posts
    AWS Certified DevOps Engineer Professional

  • Vedansh Malhan

    Member
    February 27, 2025 at 4:47 pm

    55. Question

    Category: DOP – Resilient Cloud Solutions

    A bank uses an EC2 instance to host its web application which mainly serves the purpose of storing sensitive information in an S3 bucket. The security team mandated that all objects in the bucket be duplicated and stored in a separate bucket located in a different AWS account and region.

    Which of the following actions should the DevOps Engineer implement to enable cross-region replication? (Select THREE.)

    Create a bucket policy in the source bucket that grants the destination bucket permission to replicate objects.

    Create a bucket policy in the destination bucket that grants the source bucket permission to replicate objects.

    In the source AWS account, create an IAM role that Amazon S3 can assume to replicate objects. Enable versioning in both buckets.

    In the destination AWS account, create an IAM role that Amazon S3 can assume to replicate objects. Enable versioning in both buckets.

    Configure a replication rule within the source bucket to activate the replication process.

    Configure a replication rule within the destination bucket to activate the replication process.

    Why are we creating an IAM role in the source account that S3 can assume to shouldn’t it be in the destination account as that is the role that S3 will assume when doing replication?

  • Nikee-TutorialsDojo

    Administrator
    February 28, 2025 at 8:33 am

    Hello Vedansh,

    Thank you for your question! The reason we create the IAM role in the source account for Amazon S3 to assume during replication is that S3 initiates the replication process from the source bucket, not the destination. For cross-account replication to work, S3 needs the necessary permissions to replicate objects from the source bucket to the destination bucket. The IAM role in the source account grants S3 the permissions to perform the replication. This role allows Amazon S3 to read the objects from the source bucket and copy them to the destination bucket.

    The IAM role in the source account is also critical because it establishes a trust relationship between the source account and Amazon S3, enabling S3 to carry out the replication on your behalf. While the destination bucket will also need a policy that allows the source account to write objects into it, the replication IAM role itself is always set up in the source account, as that’s where the replication is initiated.

    As per the latest AWS documentation on cross-region replication (CRR), the IAM role for replication permissions is created in the source account, as this is where the action starts. I hope this clears up any confusion! If you have further questions or need more details, feel free to reach out.

    Regards,

    Nikee @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content