AWS Certified Security – Specialty — Question 413

A company has multiple departments. Each department has its own AWS account. All these accounts belong to the same organization in AWS Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's AWS account. The company wants to allow users from the other accounts to access the .csv file’s content through the combination of AWS Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

Answer options

• A. Apply a user policy in the other accounts to allow AWS Glue and Athena to access the .csv file.
• B. Use S3 Select to restrict access to the .csv file. In AWS Glue Data Catalog, use S3 Select as the source of the AWS Glue database.
• C. Define an AWS Glue Data Catalog resource policy in AWS Glue to grant cross-account S3 object access to the .csv file.
• D. Grant AWS Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Correct answer: C

Explanation

To enable cross-account access to a specific dataset via AWS Glue and Amazon Athena while restricting access to other files in the same directory, an AWS Glue Data Catalog resource policy should be used to grant permissions to the specific metadata table. This allows external accounts to query only the defined table (pointing to the .csv file) without having direct S3 bucket-level access to other objects. Other options either fail to restrict access to just the single file or cannot establish the required cross-account Glue Catalog permissions directly.