AWS Certified Data Engineer Associate DEA-C01 Practice Question
A company runs ad-hoc Spark SQL jobs on an Amazon EMR 6.10 cluster. All data-lake tables are stored in Amazon S3, cataloged in AWS Glue, and governed by AWS Lake Formation. Data scientists must query only the order_id and product_id columns in the sales table, while other teams must not access the table. Which solution meets these requirements with minimal effort?
Attach the AWSLakeFormationDataAdmin managed policy to the data-scientist IAM users so Lake Formation automatically masks the restricted columns.
Use an S3 bucket policy that denies s3:GetObject on files containing PII columns and allows s3:GetObject on the remaining objects for the data-scientist IAM role.
In Lake Formation, grant SELECT permission scoped to the order_id and product_id columns of the sales table to the IAM role assumed by the EMR runtime role, and revoke broader table permissions from all principals.
Enable Spark column-level security by setting spark.sql.column.level.security.enabled=true on the EMR cluster and manage a JSON allowlist in HDFS for the data-scientist group.
AWS Lake Formation can enforce fine-grained permissions down to individual columns for engines such as Spark and Hive running on Amazon EMR (release 6.7 and later). Granting SELECT on only the required columns to the IAM principal assumed by the EMR runtime role applies the principle of least privilege and is automatically honored by Spark jobs. Giving AWSLakeFormationDataAdmin to users provides broad administrative rights rather than column filtering, Spark configuration flags alone cannot restrict access without Lake Formation policy enforcement, and S3 bucket policies work at the object level and cannot hide columns inside Parquet or ORC files.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Lake Formation and how does it enforce fine-grained permissions?