ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 476 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 476
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A large company has many business units. Each business unit has multiple AWS accounts for different purposes. The CIO of the company sees that each business unit has data that would be useful to share with other parts of the company. In total, there are about 10 PB of data that needs to be shared with users in
1,000 AWS accounts. The data is proprietary, so some of it should only be available to users with specific job types. Some of the data is used for throughput of intensive workloads, such as simulations. The number of accounts changes frequently because of new initiatives, acquisitions, and divestitures.
A Solutions Architect has been asked to design a system that will allow for sharing data for use in AWS with all of the employees in the company.
Which approach will allow for secure data sharing in scalable way?

  • A. Store the data in a single Amazon S3 bucket. Create an IAM role for every combination of job type and business unit that allows for appropriate read/write access based on object prefixes in the S3 bucket. The roles should have trust policies that allow the business unit's AWS accounts to assume their roles. Use IAM in each business unit's AWS account to prevent them from assuming roles for a different job type. Users get credentials to access the data by using AssumeRole from their business unit's AWS account. Users can then use those credentials with an S3 client.
  • B. Store the data in a single Amazon S3 bucket. Write a bucket policy that uses conditions to grant read and write access where appropriate, based on each user's business unit and job type. Determine the business unit with the AWS account accessing the bucket and the job type with a prefix in the IAM user's name. Users can access data by using IAM credentials from their business unit's AWS account with an S3 client.
  • C. Store the data in a series of Amazon S3 buckets. Create an application running in Amazon EC2 that is integrated with the company's identity provider (IdP) that authenticates users and allows them to download or upload data through the application. The application uses the business unit and job type information in the IdP to control what users can upload and download through the application. The users can access the data through the application's API.
  • D. Store the data in a series of Amazon S3 buckets. Create an AWS STS token vending machine that is integrated with the company's identity provider (IdP). When a user logs in, have the token vending machine attach an IAM policy that assumes the role that limits the user's access and/or upload only the data the user is authorized to access. Users can get credentials by authenticating to the token vending machine's website or API and then use those credentials with an S3 client.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by awsec2 at Sept. 23, 2019, 7:57 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Smart
Highly Voted 3 years, 9 months ago
I am gonna go with D. I just don't feel comfortable with putting all kinds of data in a single bucket. With options A & B, there is going to be lot of editing of IAM Roles & Bucket policy as add or remove more accounts. Option C is good but what about auditability at CloudTrail if application API is used for data access. At this business level, AD or AWS SSO is must.
upvoted 24 times
SD13
3 years, 8 months ago
Token vending machine can be single point of failure.. Going with C
upvoted 2 times
pixepe
2 years, 8 months ago
TVM can be implemented with LAMBDA - https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/implement-saas-tenant-isolation-for-amazon-s3-by-using-an-aws-lambda-token-vending-machine.html So Option D is not single point of failure
upvoted 1 times
...
...
...
donathon
Highly Voted 3 years, 9 months ago
B A: Not scalable. Remember this company has 1000 accounts. C: How would users be easily access the files using the application’s API? D: STS are used for web based identity like Google or Facebook and not used for IDP. https://aws.amazon.com/blogs/mobile/simplifying-token-vending-machine-deployment-with-aws-cloudformation/
upvoted 14 times
Konnon
3 years, 9 months ago
With SAML, STS can work with IdP. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
upvoted 8 times
...
directconnect
3 years, 9 months ago
I will go with D. A,B store the data in a single S3 bucket. Note that the questions says petabytes of data. A single S3 bucket can only store 5 terabytes of data, so a series of buckets will be needed.
upvoted 2 times
Japs
3 years, 8 months ago
A bucket can contain unlimited amounts of data
upvoted 4 times
...
SadioMane
3 years, 8 months ago
The total volume of data and number of objects you can store are unlimited. Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes.
upvoted 3 times
...
...
tiffanny
3 years, 8 months ago
Max IAM user to attch is 20
upvoted 1 times
...
TiredDad
3 years, 8 months ago
Bucket policies are limited to 20 KB in size. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
upvoted 2 times
...
Load full discussion...
...
marszalekm
Most Recent 1 year, 4 months ago
https://aws.amazon.com/blogs/apn/isolating-saas-tenants-with-dynamically-generated-iam-policies/
upvoted 1 times
...
tomosabc1
2 years, 9 months ago
Selected Answer: D
The answer is D. Thanks for bobsmith2000's explanation.
upvoted 3 times
...
redipa
3 years, 1 month ago
Max S3 bucket size is 5TB. A and B cannot be correct because they want to store 10PB in a SINGLE bucket.
upvoted 1 times
Cal88
2 years, 8 months ago
A bucket has unlimited storage , the 5 TB max is for each object
upvoted 1 times
...
...
bobsmith2000
3 years, 1 month ago
Selected Answer: D
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/implement-saas-tenant-isolation-for-amazon-s3-by-using-an-aws-lambda-token-vending-machine.html
upvoted 3 times
...
user0001
3 years, 2 months ago
A , because The roles should have trust policies that allow the business unit's AWS accounts to assume their roles you can not share s3 without trust relation
upvoted 1 times
...
syscao
3 years, 3 months ago
B is perfect. key word is prefix D too many policies to manage
upvoted 1 times
...
jyrajan69
3 years, 4 months ago
Based on number of accounts and the size of Data and the following link (https://aws.amazon.com/blogs/apn/isolating-saas-tenants-with-dynamically-generated-iam-policies/), my answer for this will be D
upvoted 1 times
...
Kopa
3 years, 7 months ago
If you see the question is about role so the proper answer seems D, also B is lot more complex and not so scalable.
upvoted 1 times
...
AWSum1
3 years, 8 months ago
D https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/implement-saas-tenant-isolation-for-amazon-s3-by-using-an-aws-lambda-token-vending-machine.html
upvoted 4 times
...
DerekKey
3 years, 8 months ago
10 PB of data - users in 1,000 AWS accounts A wrong - "an IAM role for every combination of job type and business unit" B wrong - "write a bucket policy that uses conditions to grant read and write access where appropriate, based on each user's business unit and job type" & "with a prefix in the IAM user's name" C wrong - a single point of failure and bottleneck D correct - I don't see any other way to manage such a huge environment BTW. https://aws.amazon.com/blogs/apn/isolating-saas-tenants-with-dynamically-generated-iam-policies/
upvoted 2 times
...
DeathFrmAbv
3 years, 8 months ago
Going with D as this is the most scalable solution
upvoted 2 times
...
WhyIronMan
3 years, 8 months ago
I'll go with D
upvoted 1 times
...
Akhil254
3 years, 8 months ago
B Correct
upvoted 1 times
...
Pupu86
3 years, 8 months ago
The question has clearly indicated the permutations of BU and AWS accounts and the key objectives is scalability & clarity of purpose for various amount of data shared (10PB). Having a different S3 buckets resolve the clarify of purpose for various data type shared. Crafting a STS solutions mitigates the permutations of user accounts * IAM roles = scalability
upvoted 1 times
...
Kian1
3 years, 8 months ago
going with D, STS API
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel