AWS Certified Solutions Architect – Associate (SAA-C03) — Question 491

A company stores several petabytes of data across multiple AWS accounts. The company uses AWS Lake Formation to manage its data lake. The company's data science team wants to securely share selective data from its accounts with the company's engineering team for analytical purposes.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Copy the required data to a common account. Create an IAM access role in that account. Grant access by specifying a permission policy that includes users from the engineering team accounts as trusted entities.
• B. Use the Lake Formation permissions Grant command in each account where the data is stored to allow the required engineering team users to access the data.
• C. Use AWS Data Exchange to privately publish the required data to the required engineering team accounts.
• D. Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the required data to the engineering team accounts.

Correct answer: D

Explanation

AWS Lake Formation tag-based access control (TBAC) is the most scalable and operationally efficient method for cross-account sharing because it allows permissions to be managed via policy tags rather than individual resource policies. Copying petabytes of data to a central account is cost-prohibitive and introduces high operational overhead, while manually granting permissions per resource across multiple accounts is difficult to maintain. AWS Data Exchange is designed for third-party data sharing and introduces unnecessary complexity for internal cross-account sharing.