Question #889
A global e-commerce company processes millions of transactions daily using Amazon EMR. The company's analytical team consists of three personas: Cluster Manager (provisions EMR clusters), ETL Developer (transforms data using Spark scripts), and Business Analyst (queries data with Hive). The solution must enforce least privilege access, allow only approved EMR configurations, and ensure all resources are tagged. Which solution meets these requirements?
Create IAM roles for each persona with necessary permissions. Use AWS Config to monitor resource compliance and alert administrators for remediation.
Implement SAML-based federation for EMR cluster access. Configure identity policies to restrict cluster modifications.
Utilize AWS Service Catalog to define permissible EMR configurations and assign role-based access policies for each persona.
Deploy EMR clusters via AWS CloudFormation templates with IAM policies. Use AWS Config rules to enforce tagging and notify admins of non-compliance.
Explanation
The correct answer is C because:
1. Least Privilege: AWS Service Catalog enables role-based access policies for each persona (Cluster Manager, ETL Developer, Business Analyst), ensuring they only have permissions necessary for their tasks.
2. Approved Configurations: Service Catalog portfolios restrict EMR cluster configurations to pre-approved templates, preventing unauthorized setups.
3. Resource Tagging: Service Catalog enforces tagging during resource provisioning, ensuring compliance.
Why other options fail:
- A: AWS Config monitors compliance but does not prevent non-compliant configurations.
- B: SAML federation and identity policies do not enforce approved EMR configurations or tagging.
- D: CloudFormation enforces initial configurations but lacks granular role-based access control for personas.
Key Points:
- Use AWS Service Catalog for governance of configurations and access.
- Combine with IAM roles for least privilege.
- Enforce tagging via Service Catalog policies.
Answer
The correct answer is: C