AWS Certified Data Analytics – Specialty — Question 39

A company stores its sales and marketing data that includes personally identifiable information (PII) in Amazon S3. The company allows its analysts to launch their own Amazon EMR cluster and run analytics reports with the data. To meet compliance requirements, the company must ensure the data is not publicly accessible throughout this process. A data engineer has secured Amazon S3 but must ensure the individual EMR clusters created by the analysts are not exposed to the public internet.
Which solution should the data engineer to meet this compliance requirement with LEAST amount of effort?

Answer options

• A. Create an EMR security configuration and ensure the security configuration is associated with the EMR clusters when they are created.
• B. Check the security group of the EMR clusters regularly to ensure it does not allow inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0.
• C. Enable the block public access setting for Amazon EMR at the account level before any EMR cluster is created.
• D. Use AWS WAF to block public internet access to the EMR clusters across the board.

Correct answer: C

Explanation

The correct answer is C because enabling the block public access setting at the account level ensures that all EMR clusters created subsequently will automatically adhere to this compliance requirement with minimal manual intervention. Options A and B involve ongoing management and checks, which require more effort, while option D is more complex and may not be necessary since the block public access setting is a simpler and more effective solution.