Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 306 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 306
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scientists are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group.

The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obligation to report on which scientist accesses which documents. The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead.

Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)

  • A. Create an identity policy that grants the user read and write access. Add a condition that specifies that the S3 paths must be prefixed with $(aws:username). Apply the policy on the scientists’ IAM user group.
  • B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket. Store the trail output in another S3 bucket. Use Amazon Athena to query the logs and generate reports.
  • C. Enable S3 server access logging. Configure another S3 bucket as the target for log delivery. Use Amazon Athena to query the logs and generate reports.
  • D. Create an S3 bucket policy that grants read and write access to users in the scientists’ IAM user group.
  • E. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket and write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatch connector to query the logs and generate reports.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by KungLjao at Oct. 29, 2023, 2:24 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
AzureDP900
1 week ago
Option A allows for secure and isolated access to each scientist's personal folder by prefixing the S3 paths with $(aws:username), ensuring that scientists can only access their own documents. This aligns with the research center's compliance officer's concern about preserving data isolation. Option B configures a CloudTrail trail to capture all object-level events in the S3 bucket, providing detailed information on who accessed which documents. This meets the requirement for reporting on document access by scientists.
upvoted 1 times
...
Daniel76
1 month, 1 week ago
Selected Answer: AB
Option E problem is cloudwatch need to be exported to s3 bucket to be queried by Athena.
upvoted 1 times
...
9f02c8d
5 months, 3 weeks ago
Option AB
upvoted 1 times
...
ele
9 months, 1 week ago
Selected Answer: AB
Not C: Server access log records are delivered on a best-effort basis.
upvoted 4 times
hogtrough
8 months, 4 weeks ago
To elaborate further, "The completeness and timeliness of server logging is not guaranteed. The log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all. "
upvoted 1 times
...
...
07c2d2a
9 months, 2 weeks ago
AB is correct. They key here is that the logs are required to be accurate for compliance reasons. Server access isn't good enough here. "Server access log records are delivered on a best-effort basis. Most requests for a bucket that is properly configured for logging result in a delivered log record. Most log records are delivered within a few hours of the time that they are recorded, but they can be delivered more frequently"
upvoted 3 times
...
mhampar12
10 months, 1 week ago
Selected Answer: AC
"The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead."
upvoted 1 times
...
mhampar12
10 months, 1 week ago
A and C "The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead."
upvoted 1 times
...
vibzr2023
10 months, 1 week ago
Answer: AB Option C is incorrect because enabling S3 server access logging and delivering the logs to another S3 bucket does not directly address the requirement to report on which scientist accesses which documents. While the logs can be queried, it does not provide a straightforward solution for generating the required reports. Option D is incorrect because creating an S3 bucket policy that grants read and write access to users in the scientists' IAM user group does not address the compliance officer's concern about scientists being able to access each other's work. It also does not provide a solution for reporting on which scientist accesses which documents.
upvoted 2 times
...
George88
12 months ago
Answer: AB https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
upvoted 4 times
...
D10SJoker
1 year ago
Selected Answer: AB
In Amazon S3, you can identify requests using an AWS CloudTrail event log. AWS CloudTrail is the preferred way of identifying Amazon S3 requests, but if you are using Amazon S3 server access logs, see Using Amazon S3 access logs to identify requests. https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-request-identification.html
upvoted 1 times
...
kairosfc
1 year ago
Selected Answer: BD
It doesn't mention that the folder name is the AWS username. There is no guarantee that alternative “A” will be effective.
upvoted 2 times
Jay_2pt0_1
12 months ago
I think BD as well
upvoted 1 times
...
...
LS1168
1 year ago
Selected Answer: AB
CloudTrail + Identify so A and B, there was another question on CloudTrail vs. S3 Server Access logging, always CloudTrail wins
upvoted 3 times
...
Andres123456
1 year ago
Selected Answer: AB
AB https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html
upvoted 1 times
...
AMohanty
1 year ago
AB https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html
upvoted 2 times
Tofu13
1 year ago
Look for Turn on logs for a subset of objects (prefix) -> Only possible for CloudTrail
upvoted 1 times
...
...
Ustad
1 year ago
Selected Answer: AB
To Audit: B is the correct one To Act: A is the correct one but not so effective.
upvoted 1 times
...
[Removed]
1 year ago
Selected Answer: AB
cloudtrail always for compliance
upvoted 2 times
...
s61
1 year ago
Selected Answer: AB
CloudTrail provides more detailed logging than S3 server access logging https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-s3-access-logs-to-identify-requests.html
upvoted 2 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel