Which solution will meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A financial services company has an asset management product that thousands of customers use around the world.The customers provide feedback about the product through surveys.The company is building a new analytical solution that runs on Amazon EMR to analyze the data from these surveys.The following user personas need to access the analytical solution to perform different actions:• Administrator: Provisions the EMR cluster for the analytics team based on the team’s requirements• Data engineer: Runs ETL scripts to process, transform, and enrich the datasets• Data analyst: Runs SQL and Hive queries on the dataA solutions architect must ensure that all the user personas have least privilege access to only the resources that they need.The user personas must be able to launch only applications that are approved and authorized.The solution also must ensure tagging for all resources that the user personas create.

Which solution will meet these requirements?

Create IAM roles for each user persona. Attach identity-based policies to define which actions the user who assumes the role can perform. Create an AWS Config rule to check for noncompliant resources. Configure the rule to notify the administrator to remediate the noncompliant resources.

Setup Kerberos-based authentication for EMR clusters upon launch. Specify a Kerberos security configuration along with cluster-specific Kerberos options.

Use AWS Service Catalog to control the Amazon EMR versions available for deployment, the cluster configuration, and the permissions for each user persona.

Launch the EMR cluster by using AWS CloudFormation, Attach resource-based policies to the EMR cluster during cluster creation. Create an AWS. Config rule to check for noncompliant clusters and noncompliant Amazon S3 buckets. Configure the rule to notify the administrator to remediate the noncompliant resources.

Explanations:

While creating IAM roles for each user persona is a good approach for managing permissions, it does not directly control the application launch nor does it ensure tagging of resources automatically. The AWS Config rule can monitor compliance, but it does not enforce the least privilege access or the authorized application launch.

Kerberos-based authentication provides security for user access to the EMR cluster but does not address the requirements for least privilege access for the user personas or control over which applications can be launched. It also does not ensure tagging of resources.

AWS Service Catalog is designed to create and manage approved products and services in a controlled manner. It allows the organization to define which versions of EMR can be used, configure permissions for different user personas, and ensure that only authorized applications are launched. This solution aligns well with the requirement for least privilege access and can facilitate tagging of resources.

Launching the EMR cluster using AWS CloudFormation can help manage infrastructure as code, but attaching resource-based policies to the EMR cluster does not directly control user permissions and access at the level of least privilege. While AWS Config can monitor compliance, it does not inherently provide the necessary control over user personas or enforce tagging.

2025-10-14

1 Comment

  1. Samuel
    Author

    As far as I can tell, the answer is:
    Use AWS Service Catalog to control the Amazon EMR versions available for deployment, the cluster configuration, and the permissions for each user persona.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × 2 =