AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your company maintains a data lake in account A registered with AWS Lake Formation. Data scientists in a separate AWS account (account B) must query two specific tables in Amazon Athena while having no visibility into other tables or objects in the bucket. The security team wants to avoid adding bucket policies or manual object-level ACLs and enforce least privilege at the table level. Which approach meets these requirements?
In account A, use Lake Formation Grant Permissions to share SELECT and DESCRIBE on the two tables directly with the Athena execution role ARN from account B; have account B accept the AWS RAM share and create resource links before running queries.
Attach an S3 bucket policy that allows the account B role s3:GetObject on the entire data-lake prefix and rely on Athena workgroup settings for query isolation.
Export the two tables to a new S3 location, replicate the data to a bucket in account B, and grant full access to that bucket.
Create an AWS Glue Data Catalog resource policy that shares the tables with account B, then let account B query them without additional Lake Formation grants.
Granting Lake Formation permissions on the individual tables to the IAM role used by Athena in account B achieves table-level, least-privilege access without changing the S3 bucket policy. When the data lake administrator in account A issues a Lake Formation GRANT for SELECT (and DESCRIBE) on just those tables to the cross-account role, Lake Formation automatically creates an AWS Resource Access Manager (RAM) share. After the share is accepted, users in account B can create resource links and query the tables through Athena, but Lake Formation continues to control access to all other catalog objects and underlying S3 data. The other options either rely on broad S3 bucket permissions, duplicate data, or use Glue resource policies that still require bucket-level access, so they do not satisfy the security team's constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Lake Formation, and how does it control table-level access?
Open an interactive chat with Bash
What is AWS Resource Access Manager (RAM), and how does it work with Lake Formation?
Open an interactive chat with Bash
What are resource links in AWS Glue, and why are they important for cross-account querying?
Open an interactive chat with Bash
What is AWS Lake Formation, and how does it manage table-level permissions?
Open an interactive chat with Bash
What role does AWS Resource Access Manager (RAM) play in cross-account access with Lake Formation?
Open an interactive chat with Bash
Why are bucket policies or object-level ACLs not ideal for this scenario?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .