Which solution will meet these requirements?
Configure interface VPC endpoints for each AWS service that the teams need. Use the required interface VPC endpoints to submit the big data workloads.
Create EMR runtime roles. Configure the cluster to use the runtime roles. Use the runtime roles to submit the big data workloads.
Create an EC2 IAM instance profile that has the required permissions for each team. Use the instance profile to submit the big data workloads.
Create an EMR security configuration that has the EnableApplicationScopedIAMRole option set to false. Use the security configuration to submit the big data workloads.
Explanations:
Configuring interface VPC endpoints provides access to AWS services but does not restrict permissions for each team’s workloads. This option does not control access at the IAM level for individual teams.
Creating EMR runtime roles allows each team to have specific permissions associated with their workloads. These roles can be tailored to restrict access to only the AWS services that each team needs, ensuring that the workloads do not access unwanted services.
Using an EC2 IAM instance profile grants permissions at the instance level, which applies to all workloads on that instance. This does not isolate permissions by team and allows all teams’ workloads to access the same set of permissions.
Disabling the EnableApplicationScopedIAMRole option in EMR security configurations prevents the use of application-scoped IAM roles, which would limit access to resources based on the workload. This does not effectively control access to AWS services for individual teams.
I value that the answer is:
Create EMR runtime roles. Configure the cluster to use the runtime roles. Use the runtime roles to submit the big data workloads.