AWS Certified Data Engineer Associate DEA-C01 Practice Question

Your data engineering team runs Apache Spark jobs on an Amazon EMR cluster inside a private subnet. The job must write results to an Amazon S3 bucket in the same account. The security team insists that no long-lived credentials are stored on the cluster and that permissions follow least privilege. Which approach satisfies these authentication requirements?

Generate a presigned URL for the bucket prefix and save it as plain text on each node before the job starts.
Store access keys for an IAM user with AmazonS3FullAccess in AWS Secrets Manager and retrieve them during cluster bootstrap.
Attach a custom-policy IAM instance-profile role to the EMR cluster that allows only s3:PutObject on the specific bucket.
Provision a client certificate in AWS Certificate Manager and configure Spark to present it for mutual TLS when writing to S3.

Report Issue

Answer Description

Attaching an IAM instance-profile role to the EMR cluster supplies temporary credentials to every node through the Instance Metadata Service. Those short-lived credentials are automatically rotated and can be scoped to the exact S3 actions (for example, only s3:PutObject on the target bucket), meeting the principle of least privilege. Storing an IAM user's access keys in Secrets Manager still creates long-lived credentials and a rotation burden. Amazon S3 does not support client-certificate authentication, so a certificate-based solution would fail. Presigned URLs avoid credentials but cannot realistically support continual Spark writes and expose the URL if stored on the nodes. Therefore, using a tightly scoped instance-profile role is the only option that satisfies both the no-credentials and least-privilege requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.