Exam AWS Certified Big Data - Specialty topic 2 question 13 discussion

It's A. https://aws.amazon.com/blogs/big-data/implementing-authorization-and-auditing-using-apache-ranger-on-amazon-emr/

Every is saying B but https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-differences.html it says "Hive authorization : Amazon EMR supports Hive authorization for HDFS but not for EMRFS and Amazon S3. Amazon EMR clusters run with authorization disabled by default."

Answer A: Transparent Encryption - Security configurations offer settings to enable security for data in-transit and data at-rest in Amazon Elastic Block Store (Amazon EBS) storage volumes and EMRFS data in Amazon S3. Ranger - EMR steps are used to perform the following: Install and configure Ranger HDFS and Hive plugins

it's A.. Apache Ranger has the following goals: Centralized security administration to manage all security related tasks in a central UI or using REST APIs. Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool Standardize authorization method across all Hadoop components. Enhanced support for different authorization methods - Role based access control, attribute based access control etc. Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.

B is the only one to address "SQL base authorization": https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization Which is basically the right to execute a SELECT statement, as required by the question. Answer A is tempting, but why installing an additional ec2 instance if it goes without doing so?

B my choice https://aws.amazon.com/fr/blogs/big-data/encrypt-data-at-rest-and-in-flight-on-amazon-emr-with-security-configurations/

B. A: didn’t mention data encryption on S3. C: KMS is a key management service to managed the encryption keys. No matter what encryption you use, you will can always KMS to manage the keys. so you can say use KMS to manage encryption keys, but not use KMS for encryption of data. D: security group is not helping in giving permission to select statement.

B is the correct answer

This is a good example which confirms that A is the answer-> https://noise.getoto.net/2016/12/02/implementing-authorization-and-auditing-using-apache-ranger-on-amazon-emr/. The key is that the question is about EMR HDFS but some of the choices offered talk about EMRFS which may lead to picking up a wrong answer. As this is AWS EMR, we are looking at an HDFS cluster that needs to be protected. Transparent Data Encryption meets the at rest and in transit requirements. So now authorizing access to Hive tables is best offered using Apache ranger as shown in the blog at the above link.

I dont think B is correct - Amazon EMR supports Hive Authorization(Storage Based Authorization, SQL Standards Based Authorization in HiveServer2) for HDFS but not for EMRFS and Amazon S3. Amazon EMR clusters run with authorization disabled by default.

my selection B

It's B https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization

Why not C? Is it wrong?

why nobody has a think about C?

A is wrong. https://aws.amazon.com/blogs/aws/new-at-rest-and-in-transit-encryption-for-amazon-emr/ "We already offer several data encryption options for EMR including server and client side encryption for Amazon S3 with EMRFS and Transparent Data Encryption for HDFS. While these solutions do a good job of protecting data at rest, they do not address data stored in temporary files or data that is in flight, moving between job steps. Each of these encryption options must be individually enabled and configured, making the process of implementing encryption more tedious that it need be"

I choose B

Apache Ranger is not AWS product, might not a right choice