SAA-C03 Question #183: Real Exam Question with Answer & Explanation

Question

A company stores data for multiple business units in a single Amazon S3 bucket that is in the company's payer AWS account. To maintain data isolation, the business units store data in separate prefixes in the S3 bucket by using an S3 bucket policy. The company plans to add a large number of dynamic prefixes. The company does not want to rely on a single S3 bucket policy to manage data access at scale. The company wants to develop a secure access management solution in addition to the bucket policy to enforce prefix-level data isolation. Which solution will meet these requirements?

Options

• AConfigure the S3 bucket policy to deny s3:GetObject permissions for all users. Configure the
• BEnable default encryption on the S3 bucket by using server-side encryption with Amazon S3
• CConfigure resource-based permissions on the S3 bucket by creating an S3 access point for each
• DUse pre-signed URLs to provide access to the S3 bucket.

Explanation

Why Option C is Correct: S3 Access Points: Provide scalable management of access to large datasets with specific permissions for individual prefixes. Dynamic Prefixes: Access points simplify managing access to a growing number of prefixes without relying solely on a single bucket policy. Fine-Grained Control: Resource-based permissions on access points enforce prefix-level isolation effectively. Why Other Options Are Not Ideal: Option A: Using deny/allow bucket policies introduces complexity and is less scalable for dynamic Option B: Encryption ensures data security but does not address access management. Option D: Pre-signed URLs are temporary and not suitable for managing access at scale.

No community discussion yet for this question.