Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 442 discussion

By utilizing Lake Formation's tag-based access control, you can define tags and tag-based policies to grant selective access to the required data for the engineering team accounts. This approach allows you to control access at a granular level without the need to copy or move the data to a common account or manage permissions individually in each account. It provides a centralized and scalable solution for securely sharing data across accounts with minimal operational overhead.

(B) uses the CLI command that has many options: principal, TableName, ColumnNames, LFTag etc providing a way to manage granular access permissions for different users at the table and column level. That way you don't give full access to the all the data. The problem with (B) is to implement this in each account has a lot more operational overhead than (D).

D: Selective data = tagging A and B gives full access to all the data C is possible but with complex operational overhead as you have to publish your data to the Data Exchange. (this is based on my limited knowledge so happy to be corrected)

D is the correct option with the least operational overhead. Using Lake Formation tag-based access control allows granting cross-account permissions to access data in other accounts based on tags, without having to copy data or configure individual permissions in each account. This provides a centralized, tag-based way to share selective data across accounts to authorized users with least operational overhead.

https://aws.amazon.com/blogs/big-data/securely-share-your-data-across-aws-accounts-using-aws-lake-formation/