Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 779 discussion

B correct best solution best well architected C wrong because identity policies are typically associated with users or roles, not directly with the EFS file system D wrong because POSIX file permissions at the root directory level may not be sufficient to prevent modifications to other directories or files A is so far away

Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory. Explanation: By creating an EFS access point for each application and configuring POSIX file permissions to allow read-only access, you can enforce the desired access control. This approach restricts write and delete actions on the dataset while allowing read access, aligning with the company's requirements.

- Identity-based policies are attached to an IAM user, group, or role. - Resource-based policies are attached to a resource. - elasticfilesystem:ClientWrite: Provides write permissions on a file system. EFS is a RESOURCE, so that excludes "C" (we need a resource policy). https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html

There is no such thing as an "identity policy" for EFS.

2 ways to prevent writing to the file system: 1. The mount option in the /etc/fstab file is set to read-only access. > A 2. IAM policy indicates read-only access, or root access disabled. > B The question clearly states they are looking to use IAM access control

prevent the applications from being able to modify or delete the dataset.-- This means a role would be used. So answer is B

IAM policies are used to control access to AWS resources, including Amazon EFS. By default, IAM policies control access to the EFS API actions, such as elasticfilesystem:ClientWrite, which allows clients to write to the file system. However, POSIX file permissions control access to files within the file system itself, which is independent of IAM policies. While using POSIX file permissions can restrict access to the files within the file system, it doesn't prevent a user or application with the appropriate IAM permissions from modifying or deleting those files directly through the EFS API.

B) IAM needs to be used, so A) & D) are out. So b/w B) and C), Resource policies are meant for specific aws service or resource while Identity policies are attached to an identity (user, group or role). C) attached identity policy to EFS, dont know how and why. Hence, B).

company wants to use IAM access control to prevent https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html

option D

"The company wasn't to use IAM access control". Yes, it would deny writing action to everything .. but it's still the only one that uses IAM.

Option B