Crucial Exams

AWS Certified Data Engineer Associate DEA-C01 Practice Question

A financial company stores raw transaction data in an Amazon S3 data lake. AWS Glue ETL jobs and Amazon Athena queries must continue to access a PII table for further processing. However, the company must prevent an Amazon EMR cluster used by data scientists from reading that table, without duplicating the data or maintaining separate copies. Which approach BEST meets these requirements?

  • Register the S3 location with AWS Lake Formation and grant SELECT permissions only to the Glue and Athena principals, leaving the EMR runtime role without privileges.

  • Encrypt the bucket with an AWS KMS customer-managed key and update the key policy to deny decrypt permission to the EMR role while allowing Glue and Athena services.

  • Move the PII table to a separate S3 bucket referenced solely by Glue and Athena, and remove that bucket from the EMR cluster configuration.

  • Attach an S3 bucket policy that allows access only when the request header contains aws:CalledVia equal to glue.amazonaws.com or athena.amazonaws.com, denying all other services.

AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot