ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 306 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 306
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scientists are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group.

The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obligation to report on which scientist accesses which documents. The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead.

Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)

  • A. Create an identity policy that grants the user read and write access. Add a condition that specifies that the S3 paths must be prefixed with $(aws:username). Apply the policy on the scientists’ IAM user group.
  • B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket. Store the trail output in another S3 bucket. Use Amazon Athena to query the logs and generate reports.
  • C. Enable S3 server access logging. Configure another S3 bucket as the target for log delivery. Use Amazon Athena to query the logs and generate reports.
  • D. Create an S3 bucket policy that grants read and write access to users in the scientists’ IAM user group.
  • E. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket and write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatch connector to query the logs and generate reports.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by KungLjao at Oct. 29, 2023, 2:24 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
FZA24
3 months, 2 weeks ago
Selected Answer: AB
BUT, The question is not clearly formulated. Nothing mentions the requirement that a scientist must only access his own folder.
upvoted 1 times
juanife
2 months, 1 week ago
the question affirms the following: "The research center's compliance officer is worried that scientists will be able to access each other's work. " it is equal to say that each scientist only must have access to his own data and not other data
upvoted 1 times
...
...
AzureDP900
5 months, 1 week ago
Option A allows for secure and isolated access to each scientist's personal folder by prefixing the S3 paths with $(aws:username), ensuring that scientists can only access their own documents. This aligns with the research center's compliance officer's concern about preserving data isolation. Option B configures a CloudTrail trail to capture all object-level events in the S3 bucket, providing detailed information on who accessed which documents. This meets the requirement for reporting on document access by scientists.
upvoted 1 times
...
Daniel76
6 months, 2 weeks ago
Selected Answer: AB
Option E problem is cloudwatch need to be exported to s3 bucket to be queried by Athena.
upvoted 1 times
...
9f02c8d
11 months ago
Option AB
upvoted 1 times
...
ele
1 year, 2 months ago
Selected Answer: AB
Not C: Server access log records are delivered on a best-effort basis.
upvoted 4 times
hogtrough
1 year, 1 month ago
To elaborate further, "The completeness and timeliness of server logging is not guaranteed. The log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all. "
upvoted 1 times
...
...
07c2d2a
1 year, 2 months ago
AB is correct. They key here is that the logs are required to be accurate for compliance reasons. Server access isn't good enough here. "Server access log records are delivered on a best-effort basis. Most requests for a bucket that is properly configured for logging result in a delivered log record. Most log records are delivered within a few hours of the time that they are recorded, but they can be delivered more frequently"
upvoted 3 times
...
mhampar12
1 year, 3 months ago
Selected Answer: AC
"The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead."
upvoted 1 times
...
mhampar12
1 year, 3 months ago
A and C "The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead."
upvoted 1 times
...
vibzr2023
1 year, 3 months ago
Answer: AB Option C is incorrect because enabling S3 server access logging and delivering the logs to another S3 bucket does not directly address the requirement to report on which scientist accesses which documents. While the logs can be queried, it does not provide a straightforward solution for generating the required reports. Option D is incorrect because creating an S3 bucket policy that grants read and write access to users in the scientists' IAM user group does not address the compliance officer's concern about scientists being able to access each other's work. It also does not provide a solution for reporting on which scientist accesses which documents.
upvoted 2 times
altonh
1 month, 4 weeks ago
Both B & C use Athena to query the logs and generate reports
upvoted 1 times
...
...
George88
1 year, 5 months ago
Answer: AB https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
upvoted 4 times
...
D10SJoker
1 year, 5 months ago
Selected Answer: AB
In Amazon S3, you can identify requests using an AWS CloudTrail event log. AWS CloudTrail is the preferred way of identifying Amazon S3 requests, but if you are using Amazon S3 server access logs, see Using Amazon S3 access logs to identify requests. https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-request-identification.html
upvoted 1 times
...
kairosfc
1 year, 5 months ago
Selected Answer: BD
It doesn't mention that the folder name is the AWS username. There is no guarantee that alternative “A” will be effective.
upvoted 2 times
Jay_2pt0_1
1 year, 5 months ago
I think BD as well
upvoted 1 times
...
...
LS1168
1 year, 5 months ago
Selected Answer: AB
CloudTrail + Identify so A and B, there was another question on CloudTrail vs. S3 Server Access logging, always CloudTrail wins
upvoted 3 times
...
Andres123456
1 year, 5 months ago
Selected Answer: AB
AB https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html
upvoted 1 times
...
AMohanty
1 year, 5 months ago
AB https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html
upvoted 2 times
Tofu13
1 year, 5 months ago
Look for Turn on logs for a subset of objects (prefix) -> Only possible for CloudTrail
upvoted 1 times
...
...
Ustad
1 year, 5 months ago
Selected Answer: AB
To Audit: B is the correct one To Act: A is the correct one but not so effective.
upvoted 1 times
...
[Removed]
1 year, 5 months ago
Selected Answer: AB
cloudtrail always for compliance
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago