AWS Certified Solutions Architect – Associate (SAA-C03) — Question 734

A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset. The company has applications on Amazon EC2 instances that need to read the dataset. However, the applications must not be able to change the dataset. The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset.

Which solution will meet these requirements?

Answer options

• A. Mount the EFS file system in read-only mode from within the EC2 instances.
• B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.
• C. Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action on the EFS file system.
• D. Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory.

Correct answer: B

Explanation

A resource policy applied directly to the Amazon EFS file system can explicitly deny the elasticfilesystem:ClientWrite action to the IAM roles associated with the EC2 instances, meeting the requirement to use IAM access control to prevent modifications. While mounting as read-only (Option A) or using POSIX permissions (Option D) can restrict writes, they do not utilize IAM access control as requested. Additionally, EFS does not support identity policies (Option C) directly; resource-based policies are used on EFS file systems to control access.