AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your company maintains a multi-tenant data lake on Amazon S3 with each department's data stored under its own prefix (for example s3://company-data/finance/ and s3://company-data/hr/). Analysts run interactive queries in Amazon Athena through AWS IAM Identity Center. You must ensure an analyst can query only the objects in their department's prefix while minimizing ongoing configuration changes. Which approach applies role-based authorization and meets the requirement?
Tag all S3 objects with a Department key and use a single S3 Access Point whose policy allows access only when aws:ResourceTag:Department matches the analyst's tag, keeping one shared IAM role for every analyst.
Attach a bucket policy that denies GetObject unless the object key begins with the user's department prefix, and let all analysts continue to use the default IAM role provided by IAM Identity Center.
Generate pre-signed S3 URLs for each department's query results at the start of every Athena session and distribute them to analysts through AWS Secrets Manager.
Create an IAM role for each department that allows access only to its S3 prefix, register the prefix with AWS Lake Formation using that role, grant the role SELECT permissions on the relevant tables, and require analysts to assume their department's role before running Athena queries.
Creating one IAM role per department, limiting the role's S3 permissions to the department prefix, and registering that prefix with AWS Lake Formation provides role-based authorization. When an analyst assumes the role, Lake Formation vends temporary, scoped-down credentials to Athena, so queries outside the allowed prefix are automatically denied without additional bucket or object changes. The other options rely on tag-based ABAC, broad bucket policies, or pre-signed URLs; none of those implements true role-based access and each introduces more maintenance or looser control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Athena and how does it interact with Amazon S3?
Open an interactive chat with Bash
What is AWS Lake Formation and how does it help with access control?
Open an interactive chat with Bash
What are the benefits of using IAM roles for department-based segregation in S3?
Open an interactive chat with Bash
What is AWS Lake Formation and how does it enhance data security in this scenario?
Open an interactive chat with Bash
Why is role-based access control (RBAC) preferred over tag-based or bucket policy methods in this case?
Open an interactive chat with Bash
How does Athena interact with temporary credentials issued by Lake Formation roles?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .