Q6 — AWS DEA-C01 Ch.1
Question 6 of 100 | ← Chapter 1
A company uses Amazon Athena for one-time queries against data that is in Amazon S3. The company has several use cases. The company Must implement permission controls to separate query processes and access to query history among users, teams, and applications that are In the same AWS account. Which solution will meet these requirements?
- A. Create an S3 bucket for each use case. Create an S3 bucket policy that grants permissions to appropriate individual IAM users. Apply The S3 bucket policy to the S3 bucket.
- B. Create an Athena workgroup for each use case. Apply tags to the workgroup. Create an IAM policy that uses the tags to apply Appropriate permissions to the workgroup. ✓
- C. Create an IAM role for each use case. Assign appropriate permissions to the role for each use case. Associate the role with Athena.
- D. Create an AWS Glue Data Catalog resource policy that grants permissions to appropriate individual IAM users for each use case. Apply the resource policy to the specific tables that Athena uses.
Correct Answer: B. Create an Athena workgroup for each use case. Apply tags to the workgroup. Create an IAM policy that uses the tags to apply Appropriate permissions to the workgroup.
Explanation
Amazon Athena工作组用于隔离查询执行、结果和访问历史。每个工作组可配置独立的权限、加密设置和查询历史记录。通过标签(tags)结合IAM策略精细化控制不同用例的访问权限,符合需求中的用户、团队、应用间的权限分离。其他选项涉及的S3存储桶策略、IAM角色或Glue Data Catalog策略无法直接管理Athena的查询历史隔离。《Amazon Athena User Guide》指出工作组是管理查询隔离和访问控制的核心机制。选项B利用工作组与标签结合IAM策略,正确实现权限分离。选项A、C、D分别存在数据冗余、缺乏查询历史控制或权限粒度不足的问题。