ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 553 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 553
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company wants to allow its Marketing team to perform SQL queries on customer records to identify market segments. The data is spread across hundreds of files. The records must be encrypted in transit and at rest. The Team Manager must have the ability to manage users and groups, but no team members should have access to services or resources not required for the SQL queries. Additionally, Administrators need to audit the queries made and receive notifications when a query violates rules defined by the Security team.
AWS Organizations has been used to create a new account and an AWS IAM user with administrator permissions for the Team Manager.
Which design meets these requirements?

  • A. Apply a service control policy (SCP) that allows access to IAM, Amazon RDS, and AWS CloudTrail. Load customer records in Amazon RDS MySQL and train users to execute queries using the AWS CLI. Stream the query logs to Amazon CloudWatch Logs from the RDS database instance. Use a subscription filter with AWS Lambda functions to audit and alarm on queries against personal data.
  • B. Apply a service control policy (SCP) that denies access to all services except IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. Store customer record files in Amazon S3 and train users to execute queries using the CLI via Athena. Analyze CloudTrail events to audit and alarm on queries against personal data.
  • C. Apply a service control policy (SCP) that denies access to all services except IAM, Amazon DynamoDB, and AWS CloudTrail. Store customer records in DynamoDB and train users to execute queries using the AWS CLI. Enable DynamoDB streams to track the queries that are issued and use an AWS Lambda function for real-time monitoring and alerting.
  • D. Apply a service control policy (SCP) that allows access to IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. Store customer records as files in Amazon S3 and train users to leverage the Amazon S3 Select feature and execute queries using the AWS CLI. Enable S3 object-level logging and analyze CloudTrail events to audit and alarm on queries against personal data.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by jay1ram2 at March 17, 2020, 7:30 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jay1ram2
Highly Voted 3 years, 9 months ago
The answer is B. This is the only option that satisfies all requirements Encryption Rest/Transit - S3/Athena Manage users and groups - IAM Deny Access - Ensures the strictest access. Audit Queries - CloudTrail logs A - RDS MySQL only pushes slow query log to CLoudwatch C - DynamoDB streams push only data changes not SQL D - This option up Athena but recommends using S3 select
upvoted 27 times
...
Amitv2706
Highly Voted 3 years, 8 months ago
B is correct. Athena can run queries on multiple files at same time. However S3 Select is applicable for only one object at a time
upvoted 5 times
AWSum1
3 years, 8 months ago
Correct. And the question states 100s of files
upvoted 1 times
...
...
3a632a3
Most Recent 1 year, 5 months ago
Selected Answer: B
The answer is B because Athena can query hundreds of files and S3 select only works on a single file at a time. In regards to the SCP, D is valid if setup correctly. You should use both Allow and Deny in your SCPs appropriately. Think of no Allow as a soft deny for your general case and Deny as your hard deny for rigid compliance. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html
upvoted 1 times
...
SkyZeroZx
2 years ago
Selected Answer: B
Encryption Rest/Transit - S3/Athena Manage users and groups - IAM Deny Access - Ensures the strictest access. Audit Queries - CloudTrail logs A - RDS MySQL only pushes slow query log to CLoudwatch C - DynamoDB streams push only data changes not SQL D - This option up Athena but recommends using S3 select This is a easy one for solution type of questions, hope I can have it in my exam
upvoted 1 times
...
davidy2020
2 years, 5 months ago
"no team members should have access to services or resources not required for the SQL queries" with this statement indicate that all other services access should be denied and only answer B fits the bill.
upvoted 1 times
...
dcdcdc3
2 years, 9 months ago
this is what S3 Select is: https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-s3-announces-new-features-for-s3-select/
upvoted 1 times
...
cldy
3 years, 7 months ago
B. Apply a service control policy (SCP) that denies access to all services except IAM, Amazon Athena, Amazon S3, and AWS CloudTrail. Store customer record files in Amazon S3 and train users to execute queries using the CLI via Athena. Analyze CloudTrail events to audit and alarm on queries against personal data.
upvoted 1 times
...
AzureDP900
3 years, 7 months ago
I'll go with B
upvoted 1 times
...
acloudguru
3 years, 7 months ago
Selected Answer: B
Encryption Rest/Transit - S3/Athena Manage users and groups - IAM Deny Access - Ensures the strictest access. Audit Queries - CloudTrail logs A - RDS MySQL only pushes slow query log to CLoudwatch C - DynamoDB streams push only data changes not SQL D - This option up Athena but recommends using S3 select This is a easy one for solution type of questions, hope I can have it in my exam
upvoted 1 times
...
Smartphone
3 years, 8 months ago
Answer is B. Each of the following policies is an example of a deny list policy strategy. Deny list policies must be attached along with other policies that allow the approved actions in the affected accounts. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
upvoted 1 times
...
WhyIronMan
3 years, 8 months ago
I'll go with B
upvoted 1 times
...
Waiweng
3 years, 8 months ago
it's B
upvoted 2 times
...
blackgamer
3 years, 8 months ago
Answer is B. Athena can query but what it S3 select.
upvoted 1 times
...
gsw
3 years, 8 months ago
there is nothing to suggest in the question that it is required to pull out hundreds of queries at a time in which case why B? Surely D is ok?
upvoted 2 times
Viper57
3 years, 8 months ago
It is not possible to grant permissions using SCP, only deny them. This means you can ignore all questions that state "Use an SCP that allows access".
upvoted 1 times
...
...
Ebi
3 years, 8 months ago
I will go with B
upvoted 3 times
...
T14102020
3 years, 8 months ago
Correct is B. Athena + SCP denies
upvoted 3 times
...
jackdryan
3 years, 8 months ago
I'll go with B
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel