Which combination of steps will meet these requirements?
(Choose two.)
Create a custom IAM Identity Center permission set to grant the data scientists access to an S3 bucket prefix that matches their username tag. Use a policy to limit access to paths with the ${aws:PrincipalTag/userName}/* condition.
Create an IAM Identity Center role for the data scientists group that has Amazon S3 read access and write access. Add an S3 bucket policy that allows access to the IAM Identity Center role.
Configure AWS CloudTrail to log S3 data events and deliver the logs to an S3 bucket. Use Amazon Athena to run queries on the CloudTrail logs in Amazon S3 and generate reports.
Configure AWS CloudTrail to log S3 management events to CloudWatch. Use Amazon Athena’s CloudWatch connector to query the logs and generate reports.
Enable S3 access logging to EMR File System (EMRFS). Use Amazon S3 Select to query logs and generate reports.
Explanations:
Creating a custom IAM Identity Center permission set with a condition based on the user’s username tag ensures that each data scientist can access only their own work in the S3 bucket. This method leverages resource-based policies to enforce access control on a per-user basis, aligning with the requirement for individual access.
While creating an IAM Identity Center role with S3 read and write access is a good start, it does not limit access to individual user data. Without additional restrictions, all data scientists would have access to the entire bucket, violating the requirement for users to access only their own work.
Configuring AWS CloudTrail to log S3 data events provides detailed information about which documents each user accessed. By delivering these logs to an S3 bucket and using Amazon Athena to run queries, the company can generate monthly reports detailing user activity, fulfilling the reporting requirement.
Although logging S3 management events to CloudWatch is useful, it does not capture detailed data access events. Therefore, it would not provide the necessary granularity to report on which specific documents each user accessed. This option does not meet the requirement for generating reports based on document access.
Enabling S3 access logging to EMR File System (EMRFS) is not relevant to the scenario as EMRFS is designed for use with Amazon EMR and does not provide the capability to track access to individual S3 documents in a way that meets the reporting requirements. Moreover, S3 Select is not applicable for querying access logs directly.