ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 779 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 779
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset. The company has applications on Amazon EC2 instances that need to read the dataset. However, the applications must not be able to change the dataset. The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset.

Which solution will meet these requirements?

  • A. Mount the EFS file system in read-only mode from within the EC2 instances.
  • B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.
  • C. Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action on the EFS file system.
  • D. Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Andy_09 at Feb. 6, 2024, 7:41 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lenotc
Highly Voted 1 year, 4 months ago
Selected Answer: B
B correct best solution best well architected C wrong because identity policies are typically associated with users or roles, not directly with the EFS file system D wrong because POSIX file permissions at the root directory level may not be sufficient to prevent modifications to other directories or files A is so far away
upvoted 6 times
...
hajra313
Highly Voted 1 year, 5 months ago
Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory. Explanation: By creating an EFS access point for each application and configuring POSIX file permissions to allow read-only access, you can enforce the desired access control. This approach restricts write and delete actions on the dataset while allowing read access, aligning with the company's requirements.
upvoted 6 times
MatAlves
9 months, 3 weeks ago
Resource policies are included in " IAM to control": "Using IAM to control file system data access NFS clients can identify themselves using an IAM role when connecting to an EFS file system. When a client connects to a file system, Amazon EFS evaluates the file system’s IAM resource policy, which is called a file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant." https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
upvoted 2 times
...
f07ed8f
1 year, 1 month ago
Please note that the question is asking "The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset."
upvoted 5 times
...
...
MatAlves
Most Recent 9 months, 3 weeks ago
Selected Answer: B
- Identity-based policies are attached to an IAM user, group, or role. - Resource-based policies are attached to a resource. - elasticfilesystem:ClientWrite: Provides write permissions on a file system. EFS is a RESOURCE, so that excludes "C" (we need a resource policy). https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html
upvoted 2 times
...
elmyth
10 months ago
Selected Answer: B
There is no such thing as an "identity policy" for EFS.
upvoted 2 times
...
sandordini
1 year, 2 months ago
Selected Answer: B
2 ways to prevent writing to the file system: 1. The mount option in the /etc/fstab file is set to read-only access. > A 2. IAM policy indicates read-only access, or root access disabled. > B The question clearly states they are looking to use IAM access control
upvoted 3 times
...
Ansuman_lucky
1 year, 3 months ago
prevent the applications from being able to modify or delete the dataset.-- This means a role would be used. So answer is B
upvoted 4 times
...
xBUGx
1 year, 3 months ago
IAM policies are used to control access to AWS resources, including Amazon EFS. By default, IAM policies control access to the EFS API actions, such as elasticfilesystem:ClientWrite, which allows clients to write to the file system. However, POSIX file permissions control access to files within the file system itself, which is independent of IAM policies. While using POSIX file permissions can restrict access to the files within the file system, it doesn't prevent a user or application with the appropriate IAM permissions from modifying or deleting those files directly through the EFS API.
upvoted 4 times
...
HarryLopez
1 year, 4 months ago
Selected Answer: B
B) IAM needs to be used, so A) & D) are out. So b/w B) and C), Resource policies are meant for specific aws service or resource while Identity policies are attached to an identity (user, group or role). C) attached identity policy to EFS, dont know how and why. Hence, B).
upvoted 3 times
...
osmk
1 year, 4 months ago
Selected Answer: C
company wants to use IAM access control to prevent https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
upvoted 3 times
...
jaswantn
1 year, 4 months ago
Selected Answer: D
option D
upvoted 1 times
Salilgen
6 months, 1 week ago
You use IAM policy to control permissions with access points https://docs.aws.amazon.com/efs/latest/ug/access-points-iam-policy.html
upvoted 1 times
...
...
Oo_Cc
1 year, 5 months ago
Selected Answer: C
"The company wasn't to use IAM access control". Yes, it would deny writing action to everything .. but it's still the only one that uses IAM.
upvoted 2 times
MatAlves
9 months, 3 weeks ago
"Using IAM to control file system data access NFS clients can identify themselves using an IAM role when connecting to an EFS file system. When a client connects to a file system, Amazon EFS evaluates the file system’s IAM resource policy, which is called a file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant." https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
upvoted 2 times
MatAlves
9 months, 3 weeks ago
What we need to change is the " IAM resource policy".
upvoted 1 times
...
...
...
Andy_09
1 year, 5 months ago
Option B
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel