AWS Certified Big Data – Specialty — Question 37

An organization needs to store sensitive information on Amazon S3 and process it through Amazon EMR. Data must be encrypted on Amazon S3 and Amazon
EMR at rest and in transit. Using Thrift Server, the Data Analysis team users HIVE to interact with this data. The organization would like to grant access to only specific databases and tables, giving permission only to the SELECT statement.
Which solution will protect the data and limit user access to the SELECT statement on a specific portion of data?

Answer options

• A. Configure Transparent Data Encryption on Amazon EMR. Create an Amazon EC2 instance and install Apache Ranger. Configure the authorization on the cluster to use Apache Ranger.
• B. Configure data encryption at rest for EMR File System (EMRFS) on Amazon S3. Configure data encryption in transit for traffic between Amazon S3 and EMRFS. Configure storage and SQL base authorization on HiveServer2.
• C. Use AWS KMS for encryption of data. Configure and attach multiple roles with different permissions based on the different user needs.
• D. Configure Security Group on Amazon EMR. Create an Amazon VPC endpoint for Amazon S3. Configure HiveServer2 to use Kerberos authentication on the cluster.

Correct answer: C

Explanation

The correct answer is C because using AWS KMS to encrypt data allows for robust security while attaching different roles enables fine-grained permission management for users. Options A and B do not provide the necessary granularity of access control for SELECT permissions specifically. Option D focuses on network security rather than the required database access restrictions.