AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A research center has migrated its 1 PB on-premises object storage to an Amazon S3 bucket on the AWS Cloud. One hundred scientists, all members of a single IAM user group, use this storage to store their work-related documents, each with a personal folder. The compliance officer is concerned about potential unauthorized access to these documents and requires detailed reports on document access by each scientist. The reporting team, with limited AWS experience, seeks a solution that is easy to implement and maintain. What actions should a solutions architect take to address these requirements? (Select two.)
Explanation:
The correct answers are A and B. Option A involves creating an identity policy that grants read and write access with a condition that the S3 paths must be prefixed with $(aws:username). This ensures that each scientist can only access their folder. Option B involves setting up AWS CloudTrail to capture all object-level events in the S3 bucket, storing the logs in another S3 bucket, and using Amazon Athena to query these logs for generating reports. This provides a reliable and comprehensive auditing solution. Options C, D, and E either do not provide the required granularity or reliability for compliance reporting. S3 server access logging (Option C) operates on a best-effort basis and is not guaranteed to be complete or timely. Creating an S3 bucket policy (Option D) alone does not restrict access to each scientist's folder individually. Using CloudWatch with Amazon Athena (Option E) is unnecessarily complex compared to the direct integration of CloudTrail with Athena.