Crucial Exams

AWS Certified Data Engineer Associate DEA-C01 Practice Question

Your organization stores department data in several Amazon S3 buckets. Hundreds of users sign in through a SAML 2.0 identity provider. The data team must allow each user to list and read objects only in buckets that belong to the same department. Permissions must automatically apply to buckets created in the future without modifying policies. What should you do?

  • Create a separate IAM role and inline policy for every department that contains the specific bucket ARNs, and map identity-provider groups to those roles.

  • Register the buckets in AWS Lake Formation, assign LF-tags per department, and grant permissions based on those LF-tags whenever a new bucket is added.

  • Turn on S3 Block Public Access and attach an IAM policy that allows s3:* actions when aws:PrincipalOrgID matches your AWS Organizations ID.

  • Implement IAM ABAC: pass the Department attribute as a session tag during SAML federation, tag each S3 bucket with Department, and attach a single IAM policy that allows access when aws:PrincipalTag/Department equals aws:ResourceTag/Department.

AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot