Data Security and Governance II
Understand how to implement tag-based access control using AWS Lake Formation tags and IAM policies for dynamic data lake security. Learn configuring Glue ETL roles, enabling CloudTrail for compliance logging, managing cross-region replication to meet data residency requirements, and securely sharing Redshift data. This lesson helps you apply practical AWS security and governance controls in data engineering environments.
We'll cover the following...
Question 60
A data lake built on Amazon S3 contains datasets from multiple business units. The data governance team needs to implement tag-based access control where users can access only datasets tagged with their authorized business unit. New datasets are continuously added, and permissions should automatically apply based on tags without manual policy updates.
Which combination of actions meets these requirements? (Select any two options.)
A. Create individual IAM policies for each dataset that grant access based on the business unit. Update policies whenever new datasets are added to the data lake.
B. Define LF-Tags in AWS Lake Formation representing business unit values. Assign LF-Tags to databases and tables in the AWS Glue Data Catalog based on their business unit ownership.
C. Configure S3 bucket policies with conditions based on object prefixes that correspond to business units. Restructure the data lake to organize data by business unit prefix.
D. Grant Lake Formation permissions to IAM principals using LF-Tag expressions. Configure permissions so that users can access resources tagged with their authorized business unit values.
E. Use IAM policy conditions with aws:ResourceTag to restrict access based on S3 object tags. Apply business unit tags to all S3 objects in the data lake.
Question 61
A data engineering team needs to deploy an AWS Glue ETL job that reads from Amazon S3 and writes to Amazon Redshift. The job runs on a schedule triggered by Amazon EventBridge. The team must configure the appropriate ...