Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 779 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 779
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset. The company has applications on Amazon EC2 instances that need to read the dataset. However, the applications must not be able to change the dataset. The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset.

Which solution will meet these requirements?

  • A. Mount the EFS file system in read-only mode from within the EC2 instances.
  • B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.
  • C. Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action on the EFS file system.
  • D. Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Andy_09 at Feb. 6, 2024, 7:41 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
hajra313
Highly Voted 8 months, 1 week ago
Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory. Explanation: By creating an EFS access point for each application and configuring POSIX file permissions to allow read-only access, you can enforce the desired access control. This approach restricts write and delete actions on the dataset while allowing read access, aligning with the company's requirements.
upvoted 6 times
MatAlves
3 weeks, 6 days ago
Resource policies are included in " IAM to control": "Using IAM to control file system data access NFS clients can identify themselves using an IAM role when connecting to an EFS file system. When a client connects to a file system, Amazon EFS evaluates the file system’s IAM resource policy, which is called a file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant." https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
upvoted 1 times
...
f07ed8f
4 months, 3 weeks ago
Please note that the question is asking "The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset."
upvoted 4 times
...
...
lenotc
Highly Voted 7 months, 1 week ago
Selected Answer: B
B correct best solution best well architected C wrong because identity policies are typically associated with users or roles, not directly with the EFS file system D wrong because POSIX file permissions at the root directory level may not be sufficient to prevent modifications to other directories or files A is so far away
upvoted 5 times
...
MatAlves
Most Recent 3 weeks, 6 days ago
Selected Answer: B
- Identity-based policies are attached to an IAM user, group, or role. - Resource-based policies are attached to a resource. - elasticfilesystem:ClientWrite: Provides write permissions on a file system. EFS is a RESOURCE, so that excludes "C" (we need a resource policy). https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html
upvoted 1 times
...
elmyth
1 month ago
Selected Answer: B
There is no such thing as an "identity policy" for EFS.
upvoted 1 times
...
sandordini
5 months, 3 weeks ago
Selected Answer: B
2 ways to prevent writing to the file system: 1. The mount option in the /etc/fstab file is set to read-only access. > A 2. IAM policy indicates read-only access, or root access disabled. > B The question clearly states they are looking to use IAM access control
upvoted 2 times
...
Ansuman_lucky
7 months ago
prevent the applications from being able to modify or delete the dataset.-- This means a role would be used. So answer is B
upvoted 3 times
...
xBUGx
7 months ago
IAM policies are used to control access to AWS resources, including Amazon EFS. By default, IAM policies control access to the EFS API actions, such as elasticfilesystem:ClientWrite, which allows clients to write to the file system. However, POSIX file permissions control access to files within the file system itself, which is independent of IAM policies. While using POSIX file permissions can restrict access to the files within the file system, it doesn't prevent a user or application with the appropriate IAM permissions from modifying or deleting those files directly through the EFS API.
upvoted 3 times
...
HarryLopez
7 months, 2 weeks ago
Selected Answer: B
B) IAM needs to be used, so A) & D) are out. So b/w B) and C), Resource policies are meant for specific aws service or resource while Identity policies are attached to an identity (user, group or role). C) attached identity policy to EFS, dont know how and why. Hence, B).
upvoted 2 times
...
osmk
7 months, 2 weeks ago
Selected Answer: C
company wants to use IAM access control to prevent https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
upvoted 3 times
...
jaswantn
7 months, 3 weeks ago
Selected Answer: D
option D
upvoted 1 times
...
Oo_Cc
8 months, 1 week ago
Selected Answer: C
"The company wasn't to use IAM access control". Yes, it would deny writing action to everything .. but it's still the only one that uses IAM.
upvoted 2 times
MatAlves
3 weeks, 6 days ago
"Using IAM to control file system data access NFS clients can identify themselves using an IAM role when connecting to an EFS file system. When a client connects to a file system, Amazon EFS evaluates the file system’s IAM resource policy, which is called a file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant." https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
upvoted 1 times
MatAlves
3 weeks, 6 days ago
What we need to change is the " IAM resource policy".
upvoted 1 times
...
...
...
Andy_09
8 months, 1 week ago
Option B
upvoted 4 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel