AWS Certified Solutions Architect – Professional (SAP-C02) — Question 306

A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scientists are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group.

The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obligation to report on which scientist accesses which documents. The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead.

Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Create an identity policy that grants the user read and write access. Add a condition that specifies that the S3 paths must be prefixed with $(aws:username). Apply the policy on the scientists’ IAM user group.
• B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket. Store the trail output in another S3 bucket. Use Amazon Athena to query the logs and generate reports.
• C. Enable S3 server access logging. Configure another S3 bucket as the target for log delivery. Use Amazon Athena to query the logs and generate reports.
• D. Create an S3 bucket policy that grants read and write access to users in the scientists’ IAM user group.
• E. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket and write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatch connector to query the logs and generate reports.

Correct answer: A, B

Explanation

Using an IAM policy with the ${aws:username} policy variable allows a single policy applied to the IAM group to dynamically restrict each scientist's access to only their personal folder, preventing unauthorized cross-access. To meet the compliance and reporting requirements with minimal overhead, configuring AWS CloudTrail to log S3 object-level data events directly to S3 and querying them with Amazon Athena provides a simple, serverless SQL interface. Other options either fail to restrict individual folders, use less comprehensive logging methods, or introduce unnecessary operational complexity.