Q23 — AWS SAA-C03 Ch.5
Question 23 of 65 | ← Chapter 5
Q323. A company stores several petabytes of data across multiple AWS accounts.The company uses AWS Lake Formation to manage its data lake.The company's data science team wants to securely share selective data from its accounts with the company's engineering team for analytical purposes. Which solution will meet these requirements with the LEAST operational overhead?
- A. Copy the required data to a common account. Create an IAM access role in that account. Grant access by specifying a permission policy that includes users from the engineering team accounts as trusted entities
- B. Use the Lake Formation permissions Grant command in each account where the data is stored to allow the required engineering team users to access the data
- C. Use AWS Data Exchange to privately publish the required data to the required engineering team accounts
- D. Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the required data to the engineering team accounts ✓
Correct Answer: D. Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the required data to the engineering team accounts
Explanation
Lake Formation provides tag-based access control, which allows you to grant cross-account permissions to specific resources based on tags. This approach enables the data science team to selectively share data from their accounts with the engineering team without copying the data to a common account or granting IAM access roles to users in another account. The data science team can simply tag the resources with the appropriate attributes, and then use Lake Formation to grant access to the engineering team accounts based on those tags.Option A involves copying the data to a common account, which can be time-consuming and costly. It also requires managing IAM access roles for users in multiple accounts, which can lead to increased operational overhead.Option B involves using the Lake Formation Grant command in each account where the data is stored, which can be cumbersome if the data is distributed across multiple accounts. Option C involves using AWS Data Exchange, which may not be suitable for sharing data within the organization as it is primarily designed for data exchange between different organizations.