When building a secure data lake, how should you enforce access controls on data?

Sharpen your skills for the AWS Certified Solutions Architect Professional Exam. Dive into flashcards, multiple choice questions, each with detailed explanations and hints. Perfect your knowledge and get ready to ace the AWS exam!

Multiple Choice

When building a secure data lake, how should you enforce access controls on data?

Explanation:
Securing a data lake hinges on a layered, centralized approach that combines fine-grained access control, robust encryption, and visibility. AWS Lake Formation provides fine-grained permissions that let you grant or deny access at the database, table, or even column level, mapped to specific IAM principals. This centralized governance is reinforced by S3 bucket policies to enforce who can access the underlying storage and by IAM roles and policies to define what actions each principal can perform across the data lake. Protecting data at rest and in transit is essential, so enable encryption for data stored in S3 (preferably SSE-KMS) and ensure encryption in transit with TLS. Auditing is also key: use Lake Formation audit logs and CloudTrail data events to monitor who accessed what data and when, supporting accountability and compliance. This combination delivers granular, auditable control and minimizes risk of unauthorized access. Public read access is not acceptable because it exposes sensitive data to anyone. Storing all data unencrypted leaves data vulnerable at rest and fails security and compliance requirements. Relying on a single IAM user for all access removes granularity and accountability, making it impossible to enforce least privilege or track individual actions.

Securing a data lake hinges on a layered, centralized approach that combines fine-grained access control, robust encryption, and visibility. AWS Lake Formation provides fine-grained permissions that let you grant or deny access at the database, table, or even column level, mapped to specific IAM principals. This centralized governance is reinforced by S3 bucket policies to enforce who can access the underlying storage and by IAM roles and policies to define what actions each principal can perform across the data lake. Protecting data at rest and in transit is essential, so enable encryption for data stored in S3 (preferably SSE-KMS) and ensure encryption in transit with TLS. Auditing is also key: use Lake Formation audit logs and CloudTrail data events to monitor who accessed what data and when, supporting accountability and compliance. This combination delivers granular, auditable control and minimizes risk of unauthorized access.

Public read access is not acceptable because it exposes sensitive data to anyone. Storing all data unencrypted leaves data vulnerable at rest and fails security and compliance requirements. Relying on a single IAM user for all access removes granularity and accountability, making it impossible to enforce least privilege or track individual actions.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy