Crucial Exams

AWS Certified Data Engineer Associate DEA-C01 Practice Question

An organization stores datasets in the S3 bucket "analytics-bkt". AWS Glue jobs assume GlueJobRole and Athena queries run under AthenaRole. GlueJobRole must write only to processed/, while AthenaRole must read from processed/ but not list or access other objects. Using policy-based authorization and least privilege, which approach needs the fewest managed policies or resources?

  • Attach separate inline IAM identity policies to GlueJobRole and AthenaRole granting their required S3 actions on analytics-bkt; leave the bucket without a bucket policy.

  • Create two S3 Access Points, one for each role, with policies restricting operations to the processed/ prefix; keep Block Public Access enabled on the bucket.

  • Attach one bucket policy to analytics-bkt that grants GlueJobRole s3:PutObject on processed/*, grants AthenaRole s3:GetObject and ListBucket limited to the processed/ prefix, and denies any other S3 actions for either role.

  • Use S3 object ACLs to grant GlueJobRole write permission and AthenaRole read permission on objects under the processed/ prefix, and disable the bucket policy.

AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot