A publishing company's design team updates the icons and other static assets that an ecommerce web application uses. The company serves the icons and assets from an Amazon S3 bucket that is hosted in the company's production account. The company also uses a development account that members of the design team can access. After the design team tests the static assets in the development account, the design team needs to load the assets into the S3 bucket in the production account. A solutions architect must provide the design team with access to the production account without exposing other parts of the web application to the risk of unwanted changes. Which combination of steps will meet these requirements? (Choose three.) A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket. B. In the development account, create a new IAM policy that allows read and write access to the S3 bucket. C. In the production account, create a role Attach the new policy to the role. Define the development account as a trusted entity. D. In the development account, create a role. Attach the new policy to the role Define the production account as a trusted entity. E. In the development account, create a group that contains all the IAM users of the design team Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role In the production account. F. In the development account, create a group that contains all the IAM users of the design team Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the development account.