Question #835
A financial institution is migrating its on-premises document storage to Amazon S3. Each employee has a dedicated folder within the S3 bucket, and all employees belong to a single IAM user group. The compliance department mandates that employees cannot access each other's folders and requires detailed access logs for audit purposes. The IT team needs a solution that requires minimal maintenance and is easy to implement. Which combination of actions should be taken? (Choose two.)
Create an IAM policy granting read and write access with a condition that restricts S3 object keys to start with ${aws:username}. Attach this policy to the IAM user group.
Set up an AWS CloudTrail trail to log S3 object-level events, storing the logs in a separate S3 bucket. Use Amazon Athena to analyze these logs for audit reports.
Enable S3 server access logging on the bucket and configure another bucket for log storage. Use AWS Lambda to process logs and generate audit reports.
Implement an S3 bucket policy that allows read and write access for the IAM user group. Use Amazon QuickSight to visualize access patterns from the bucket logs.
Configure AWS Config to record S3 resource changes and use AWS CloudTrail to capture API activity. Use Athena to query both logs for compliance reporting.
Explanation
Answer A is correct because an IAM policy with a condition on ${aws:username} restricts users to their own folders, aligning with the access control requirement. Answer B is correct because CloudTrail logs S3 object-level events, and Athena simplifies log analysis for audits. Other options are incorrect: C requires custom Lambda processing (more maintenance), D uses a less granular bucket policy, and E focuses on resource changes rather than access logs. Key points: Use IAM policies with dynamic variables for per-user access and CloudTrail+Athena for scalable logging.
Answer
The correct answer is: AB