Answer-first summary for fast verification
Answer: Create an identity policy granting read and write access, with a condition specifying that S3 paths must be prefixed with $(aws:username), and apply this policy to the scientists’ IAM user group., Set up an AWS CloudTrail trail to record all object-level events in the S3 bucket, store the trail logs in another S3 bucket, and use Amazon Athena to query these logs for generating reports.
The correct answers are A and B. Option A involves creating an identity policy that grants read and write access with a condition that the S3 paths must be prefixed with $(aws:username). This ensures that each scientist can only access their folder. Option B involves setting up AWS CloudTrail to capture all object-level events in the S3 bucket, storing the logs in another S3 bucket, and using Amazon Athena to query these logs for generating reports. This provides a reliable and comprehensive auditing solution. Options C, D, and E either do not provide the required granularity or reliability for compliance reporting. S3 server access logging (Option C) operates on a best-effort basis and is not guaranteed to be complete or timely. Creating an S3 bucket policy (Option D) alone does not restrict access to each scientist's folder individually. Using CloudWatch with Amazon Athena (Option E) is unnecessarily complex compared to the direct integration of CloudTrail with Athena.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A research center has migrated its 1 PB on-premises object storage to an Amazon S3 bucket on the AWS Cloud. One hundred scientists, all members of a single IAM user group, use this storage to store their work-related documents, each with a personal folder. The compliance officer is concerned about potential unauthorized access to these documents and requires detailed reports on document access by each scientist. The reporting team, with limited AWS experience, seeks a solution that is easy to implement and maintain. What actions should a solutions architect take to address these requirements? (Select two.)
A
Create an identity policy granting read and write access, with a condition specifying that S3 paths must be prefixed with $(aws:username), and apply this policy to the scientists’ IAM user group.
B
Set up an AWS CloudTrail trail to record all object-level events in the S3 bucket, store the trail logs in another S3 bucket, and use Amazon Athena to query these logs for generating reports.
C
Enable S3 server access logging, configure another S3 bucket for log delivery, and use Amazon Athena to query these logs for generating reports.
D
Create an S3 bucket policy that grants read and write access to users in the scientists’ IAM user group.
E
Configure an AWS CloudTrail trail to capture all object-level events in the S3 bucket, write these events to Amazon CloudWatch, and use the Amazon Athena CloudWatch connector to query the logs for generating reports.