Exam AWS Certified Data Analytics - Specialty topic 1 question 21 discussion

No doubt its B. If you will have full access on Ec2 instance role and no role match then it will fall back to the default role [When a cluster application makes a request to Amazon S3 through EMRFS, EMRFS evaluates role mappings in the top-down order that they appear in the security configuration. If a request made through EMRFS doesn’t match any identifier, EMRFS falls back to using the service role for cluster EC2 instances.] Also this is tested fully and its more secure then any other options.

Ans B : This is a textbook question. Basically you: create a new EMR service role, removing default permission from original service role which is too permissive with s3:* create some new roles to allow access to respective s3 buckets EMRFS by default will assume EMR service role, which means it gets all access to S3, but can be configured to assume an additional role created by user To be able to do that, user-created roles needs to trust EMR service role (because EMRFS will assume that role first) https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-emrfs-iam-roles.html

Bling choose A for the below explanation Option A is correct because it ensures that each team only has access to its own S3 bucket. By creating a service role that grants no access to Amazon S3 for the EMR cluster EC2 instances, you prevent unauthorized access. Then, by creating additional IAM roles that grant access to each team’s specific bucket and adding these roles to the EMR role for the EC2 trust policy, you ensure that each team can access only its own data. Finally, by creating a security configuration mapping for the additional IAM roles to Active Directory user groups for each team, you ensure that only the members of each team can access their own data. Other options are not the best solutions for this scenario. For example, Options B, C, and D involve adding the service role for the EMR cluster EC2 instances to the trust policies for the additional IAM roles or the base IAM roles, which could potentially allow unauthorized access to the S3 buckets.

B is right

B: I passed the test

Correct answer is B as the EMR service role should be provided with no access and the mapping defined for security configuration for using IAM roles mapped to groups. Option A is wrong as the service role for the EMR cluster EC2 instances should be updated to the trust policies for the additional IAM roles. Options C & D are wrong as the EMR service role should have no access.

B B is right, the service role need assume the additional roles, which means add it to the trust policy of the additional roles. A is the opposite.

isnt b and c the same?

Answer B

Answer is B

Answer B

Answer B

When a cluster application makes a request to Amazon S3 through EMRFS, EMRFS evaluates role mappings in the top-down order that they appear in the security configuration. If a request made through EMRFS doesn’t match any identifier, EMRFS falls back to using the service role for cluster EC2 instances. For this reason, we recommend that the policies attached to this role limit permissions to Amazon S3. For more information, see Service Role for Cluster EC2 Instances (EC2 Instance Profile).

C. We need additional IAM roles. A, B. If EC2 service role has no access to Amazon S3, no one on this EC2 can access S3 at any level. Besides, S3 deny unauthorized access by default. D. We need additional IAM roles.

B is the right answer

Would go with A. By default, no privilege given in the "default" instance profile. Privileges are given through dedicated roles and policies for each domain. Then allow these roles to be assumed by the EMR Service Role. EMR will then use the appropriate IAM roles based on to the role mapping definition.

B is correct as of https://aws.amazon.com/de/blogs/big-data/build-a-multi-tenant-amazon-emr-cluster-with-kerberos-microsoft-active-directory-integration-and-emrfs-authorization/