Topic 1 Question 510
2 つ選択A company wants to create a single Amazon S3 bucket for its data scientists to store work-related documents. The company uses AWS IAM Identity Center to authenticate all users. A group for the data scientists was created.
The company wants to give the data scientists access to only their own work. The company also wants to create monthly reports that show which documents each user accessed.
Which combination of steps will meet these requirements?
Create a custom IAM Identity Center permission set to grant the data scientists access to an S3 bucket prefix that matches their username tag. Use a policy to limit access to paths with the ${aws:PrincipalTag/userName}/* condition.
Create an IAM Identity Center role for the data scientists group that has Amazon S3 read access and write access. Add an S3 bucket policy that allows access to the IAM Identity Center role.
Configure AWS CloudTrail to log S3 data events and deliver the logs to an S3 bucket. Use Amazon Athena to run queries on the CloudTrail logs in Amazon S3 and generate reports.
Configure AWS CloudTrail to log S3 management events to CloudWatch. Use Amazon Athena’s CloudWatch connector to query the logs and generate reports.
Enable S3 access logging to EMR File System (EMRFS). Use Amazon S3 Select to query logs and generate reports.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: AC
A and C
👍 4awsaz2024/06/28 - 正解だと思う選択肢: AC
By combining a custom IAM Identity Center permission set with path-based access control and CloudTrail logging with Athena querying, the company can achieve the desired access control and reporting requirements for the data scientists' work-related documents stored in the S3 bucket.
The other options are either incorrect or do not fully meet the requirements: B. Creating an IAM Identity Center role with S3 read and write access and adding an S3 bucket policy would not provide the granular access control required to restrict each user to their own work. D. Configuring CloudTrail to log S3 management events to CloudWatch and using Athena's CloudWatch connector would not capture the necessary data events for generating reports on which documents each user accessed. E. Enabling S3 access logging to EMRFS and using S3 Select would not provide the necessary logging and reporting capabilities for this use case.
👍 20b432912024/11/16 - 正解だと思う選択肢: AC
IAM Identity Center permission + Amazon Athena to run queries on the CloudTrail logs in Amazon S3 and generate reports, answer A-C
👍 1mifune2024/06/27
シャッフルモード