AWS Certified Solutions Architect – Associate (SAA-C03) — Question 930

A company wants to create an Amazon EMR cluster that multiple teams will use. The company wants to ensure that each team’s big data workloads can access only the AWS services that each team needs to interact with. The company does not want the workloads to have access to Instance Metadata Service Version 2 (IMDSv2) on the cluster’s underlying EC2 instances.

Which solution will meet these requirements?

Answer options

• A. Configure interface VPC endpoints for each AWS service that the teams need. Use the required interface VPC endpoints to submit the big data workloads.
• B. Create EMR runtime roles. Configure the cluster to use the runtime roles. Use the runtime roles to submit the big data workloads.
• C. Create an EC2 IAM instance profile that has the required permissions for each team. Use the instance profile to submit the big data workloads.
• D. Create an EMR security configuration that has the EnableApplicationScopedIAMRole option set to false. Use the security configuration to submit the big data workloads.

Correct answer: B

Explanation

EMR runtime roles allow you to isolate permissions for different jobs or teams running on a shared cluster, ensuring they only access authorized AWS resources. Because runtime roles are scoped directly to the job run, they prevent the workloads from falling back to or accessing the EC2 instance profile via IMDSv2, satisfying both security requirements.