Crucial Exams

AWS Certified Data Engineer Associate DEA-C01 Practice Question

An organization runs an Amazon EMR cluster in a private subnet. The cluster uses a gateway VPC endpoint (vpce-1234) to read and write data in the analytics S3 bucket. Security requires that only the IAM role emrAnalyticsRole attached to the cluster can reach Amazon S3 through the endpoint. Other principals in the VPC must be blocked, without modifying bucket policies. What should a data engineer do to meet these requirements?

  • Configure a custom policy on gateway endpoint vpce-1234 that allows full S3 access only when aws:PrincipalArn equals arn:aws:iam:::role/emrAnalyticsRole and implicitly denies all other principals.

  • Attach an inline IAM policy to the emrAnalyticsRole that grants s3:ListBucket and s3:GetObject on the analytics bucket.

  • Modify the security group of the EMR cluster to allow outbound traffic only to the S3 prefix list and remove that rule from other instances.

  • Add a bucket policy to the analytics bucket that denies access unless aws:SourceVpce equals vpce-1234.

AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot