SAP-C02 · Question #772
SAP-C02 Question #772: Real Exam Question with Answer & Explanation
The correct answer is A: Create a custom IAM Identity Center permission set to grant the data scientists access to an S3. To grant data scientists access to only their own work, a custom IAM Identity Center permission set with a fine-grained S3 bucket policy should be used. To generate monthly access reports, AWS CloudTrail data events should be configured to log S3 object-level access, and Amazon A
Question
A company wants to create a single Amazon S3 bucket for its data scientists to store work-related documents. The company uses AWS IAM Identity Center to authenticate all users. A group for the data scientists was created. The company wants to give the data scientists access to only their own work. The company also wants to create monthly reports that show which documents each user accessed. Which combination of steps will meet these requirements? (Choose two.)
Options
- ACreate a custom IAM Identity Center permission set to grant the data scientists access to an S3
- BCreate an IAM Identity Center role for the data scientists group that has Amazon S3 read access
- CConfigure AWS CloudTrail to log S3 data events and deliver the logs to an S3 bucket. Use
- DConfigure AWS CloudTrail to log S3 management events to CloudWatch. Use Amazon Athena's
- EEnable S3 access logging to EMR File System (EMRFS). Use Amazon S3 Select to query logs
Explanation
To grant data scientists access to only their own work, a custom IAM Identity Center permission set with a fine-grained S3 bucket policy should be used. To generate monthly access reports, AWS CloudTrail data events should be configured to log S3 object-level access, and Amazon Athena can then be used to query these logs for reporting.
Common mistakes.
- B. Creating an IAM Identity Center role with only generic Amazon S3 read access does not provide the fine-grained control required to restrict users to "only their own work."
- D. AWS CloudTrail management events primarily log bucket-level operations, not object-level access (which is needed for "which documents each user accessed"), and while logs can go to CloudWatch, Amazon Athena is generally more suitable for complex querying of large log datasets for reporting.
- E. Enabling S3 access logging captures server access details, which is distinct from the detailed API call information provided by CloudTrail data events, and EMR File System (EMRFS) is irrelevant for this general S3 access reporting requirement.
Concept tested. IAM Identity Center Permission Sets, S3 Bucket Policies, CloudTrail Data Events, Amazon Athena for Log Analysis
Reference. https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-manage-permissions.html
Community Discussion
No community discussion yet for this question.