Question #1985
A company is deploying an Amazon EMR cluster shared across multiple departments. The company needs to ensure that each department's applications can only interact with specific AWS services required for their tasks. Additionally, the applications must be prevented from accessing Instance Metadata Service Version 2 (IMDSv2) on the cluster's EC2 instances.
Which solution meets these requirements?
Configure gateway VPC endpoints for the required AWS services. Use these endpoints to route all application requests to the designated services.
Define EMR runtime roles with permissions tailored to each department's needs. Configure the cluster to use these roles and submit applications using the runtime roles.
Assign EC2 IAM instance profiles with department-specific permissions to the cluster. Use the instance profiles to control access when submitting applications.
Apply an EMR security configuration with the 'EnableApplicationScopedIAMRole' parameter set to true. Use this configuration to submit the applications.
Explanation
Answer B is correct because EMR runtime roles enable assigning specific IAM roles to applications, restricting their access to designated AWS services. This ensures each department's applications operate within their permissions. By using runtime roles, applications do not rely on EC2 instance metadata (IMDSv2) for credentials, thus blocking access to it.
Option A is incorrect because VPC endpoints route traffic but do not enforce IAM policies, failing to restrict access per department. Option C uses EC2 instance profiles, which apply cluster-wide permissions and do not prevent IMDSv2 access. Option D enables application-scoped roles but does not define the specific roles; B directly addresses both requirements by configuring and using runtime roles.
Answer
The correct answer is: B