Which combination of actions should a solutions architect take to meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket.One hundred scientists are using this object storage to store their work-related documents.Each scientist has a personal folder on the object store.All the scientists are members of a single IAM user group.The research center’s compliance officer is worried that scientists will be able to access each other’s work.The research center has a strict obligation to report on which scientist accesses which documents.The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead.

Which combination of actions should a solutions architect take to meet these requirements?

(Choose two.)

Create an identity policy that grants the user read and write access. Add a condition that specifies that the S3 paths must be prefixed with $(aws:username). Apply the policy on the scientists’ IAM user group.

Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket. Store the trail output in another S3 bucket. Use Amazon Athena to query the logs and generate reports.

Enable S3 server access logging. Configure another S3 bucket as the target for log delivery. Use Amazon Athena to query the logs and generate reports.

Create an S3 bucket policy that grants read and write access to users in the scientists’ IAM user group.

Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket and write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatch connector to query the logs and generate reports.

Explanations:

Creating an identity policy that restricts access to objects based on the scientist’s username ensures that each scientist can only access their own folder. This policy prevents cross-access between scientists, satisfying the compliance officer’s concern about data privacy.

Configuring a trail with AWS CloudTrail to capture object-level events will provide the necessary audit logs for tracking which scientist accesses which documents. Using Amazon Athena allows for easy querying of these logs, fulfilling the requirement for reporting with minimal operational overhead.

Enabling S3 server access logging provides logs of requests made to the S3 bucket but does not provide detailed information about which scientist accessed which document. This solution does not fulfill the compliance requirement as effectively as CloudTrail, and querying server access logs can be more complex and less informative.

While creating a bucket policy to grant read and write access is necessary, it does not provide the required data privacy as it would allow all scientists in the IAM group to access each other’s documents. This fails to meet the compliance officer’s concerns.

Although AWS CloudTrail can capture object-level events, writing events to CloudWatch and using the CloudWatch connector for Athena adds unnecessary complexity. The logs would also not provide a straightforward method for generating the required reports compared to directly using CloudTrail logs stored in S3.

Leave a Reply

Your email address will not be published. Required fields are marked *

eighteen − eighteen =