Explanation:
Explanation:
Option B is the correct solution because it addresses all requirements:
Lake Formation LF-Tag expressions: This allows fine-grained access control at the column level, enabling PII redaction from specific data columns. LF-Tags can be used to define business units and Regions as metadata tags, and permissions can be granted based on these tags.
IAM roles for authentication: The FM authenticates using IAM roles, which is the standard AWS security practice.
Comprehensive audit trails: AWS CloudTrail provides detailed audit trails of all data access through Lake Formation, meeting the requirement for capturing audit trails.
Prevents PII in production: By using LF-Tag expressions, the FM can be configured to access only authorized data subsets with PII redacted.
Why other options are incorrect:
Option A: Using separate S3 buckets for each business unit/Region combination doesn't provide column-level access control for PII redaction. S3 access logs are not as comprehensive as CloudTrail for audit trails.
Option C: Direct IAM principal grants don't provide the fine-grained, column-level access control needed for PII redaction. Creating a custom application layer adds complexity and may not be as secure or maintainable as native Lake Formation features.
Option D: Presigned S3 URLs bypass Lake Formation's fine-grained access control and don't provide column-level PII redaction capabilities. This approach would require custom filtering logic and doesn't leverage Lake Formation's built-in security features.
Ultimate access to all questions.
No comments yet.
A company uses AWS Lake Formation to set up a data lake that contains databases and tables for multiple business units across multiple AWS Regions. The company wants to use a foundation model (FM) through Amazon Bedrock to perform fraud detection. The FM must ingest sensitive financial data from the data lake. The data includes some customer personally identifiable information (PII).
The company must design an access control solution that prevents PII from appearing in a production environment. The FM must access only authorized data subsets that have PII redacted from specific data columns. The company must capture audit trails for all data access.
Which solution will meet these requirements?
A
Create a separate dataset in a separate Amazon S3 bucket for each business unit and Region combination. Configure S3 bucket policies to control access based on IAM roles that are assigned to FM training instances. Use S3 access logs to track data access.
B
Configure the FM to authenticate by using AWS Identity and Access Management roles and Lake Formation permissions based on LF-Tag expressions. Define business units and Regions as LF-Tags that are assigned to databases and tables. Use AWS CloudTrail to collect comprehensive audit trails of data access.
C
Use direct IAM principal grants on specific databases and tables in Lake Formation. Create a custom application layer that logs access requests and further filters sensitive columns before sending data to the FM.
D
Configure the FM to request temporary credentials from AWS Security Token Service. Access the data by using presigned S3 URLs that are generated by an API that applies business unit and Regional filters. Use AWS CloudTrail to collect comprehensive audit trails of data access.