Which solution will meet these requirements?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset.The company has applications on Amazon EC2 instances that need to read the dataset.However, the applications must not be able to change the dataset.The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset.

Which solution will meet these requirements?

Mount the EFS file system in read-only mode from within the EC2 instances.

Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.

Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action on the EFS file system.

Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory.

Explanations:

Mounting the EFS file system in read-only mode from within the EC2 instances can limit access temporarily, but it is not an IAM-based control and does not prevent the application from remounting in read-write mode.

A resource policy on the EFS file system that denies theelasticfilesystem:ClientWriteaction to the EC2 IAM roles will effectively prevent any write operations, satisfying the requirement to use IAM for access control.

IAM identity policies do not apply directly to EFS file systems; they apply to actions that the IAM principal can perform, not resource-level actions like file access.

POSIX permissions are not IAM-based and require additional management complexity. IAM-based controls were specified, so this approach does not meet the requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × five =