AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your company stores transaction data in the S3 bucket finance-data.
AWS Glue ETL jobs must write files only to the raw/ and cleaned/ prefixes.
Business analysts run queries with Amazon Athena and must read objects only from cleaned/. You must implement least-privilege, role-based access without granting bucket-wide permissions. Which approach meets these requirements?
Enable Amazon S3 Access Analyzer on the bucket, then assign a single IAM role with s3:* permissions on finance-data to all users and jobs, relying on Access Analyzer findings to verify least privilege.
Create two IAM roles. Attach a policy to GlueRole that allows s3:PutObject and s3:DeleteObject on finance-data/raw/* and finance-data/cleaned/, and to AnalystRole that allows s3:GetObject and s3:ListBucket with a prefix condition for finance-data/cleaned/. Configure the Glue job and analyst sessions to assume the appropriate role.
Add a bucket policy that grants the entire development AWS account full access to finance-data and manage access for Glue and analysts only with identity-based policies inside that account.
Attach the AWS managed policy AmazonS3FullAccess to the Glue job's role and AWS managed policy ReadOnlyAccess to all analyst IAM users.
Using separate IAM roles allows permissions to be granted that match each workload's responsibilities while preventing accidental access elsewhere in the bucket. A Glue service role that contains only s3:PutObject and s3:DeleteObject on finance-data/raw/* and finance-data/cleaned/* lets the ETL job write where required but nowhere else. An analyst-facing role that allows s3:GetObject and the minimal s3:ListBucket action, scoped by a prefix condition key to finance-data/cleaned/, enables Athena queries without exposing raw data. The roles can be assumed by the Glue job and by federated analyst sessions, enforcing role-based access control and the principle of least privilege. The other options either grant overly broad permissions, use bucket-wide grants, or rely on tools that do not enforce access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is role-based access control in AWS?
Open an interactive chat with Bash
How do IAM policies enforce least privilege in AWS?
Open an interactive chat with Bash
What is the significance of using prefix conditions in S3 bucket permissions?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .