1. Question
Category: CSAA – Design High-Performing Architectures
A Solutions Architect uses AWS Lake Formation to manage a data lake that stores petabytes of data spread across various AWS accounts. The data lake contains various reporting data that are uploaded by both the Data Analytics and the DevOps team.
The Data Analytics team wants to selectively share certain data from its accounts in a secure manner with the company’s DevOps team for reporting purposes. Strict data access control and monitoring must be implemented to meet security and compliance requirements.
Which of the following is the most operationally efficient way to fulfill these requirements with MINIMAL operational overhead?
- Replicate the necessary data to a central AWS account. Set up AWS Organizations and AWS Control Tower for governance and security standardization. Establish an IAM access role in the central account. Define a permission policy that includes trusted entities from the Data Analytics team accounts and facilitated through AWS Organizations.
- Utilize the AWS Lake Formation permissions "Grant" command in each account to give the DevOps teams access to specific datasets. Implement AWS Security Hub Integration to ensure robust security monitoring.
- Use AWS Data Exchange to securely share required data with designated DevOps team accounts. Implement Lake Formation permissions "Grant" command within each account for fine-grained control.
- Implement Lake Formation tag-based access control to enable authorization and cross-account permissions for the needed datasets to engineering team accounts. Integrate with AWS Security Hub to enhance security monitoring and compliance oversight.
- Trả lời
6. Question
Category: CSAA – Design Secure Architectures
An enterprise company uses multiple AWS accounts for different business units. The AWS accounts are set up and consolidated into an organization via the AWS Organizations service.
The company sites are distributed globally across different countries and regions. There is a need to centrally manage security group rules across the organization to allow CIDR ranges of new office locations and remove old CIDR ranges as needed.
What design should the solutions architect propose to meet the requirements in the MOST cost-effective manner?
- Build an AWS-managed prefix list in Amazon VPC containing the CIDR blocks to allow or block. Enable Security Hub for the AWS accounts and define a policy that specifies the desired security group updates. Create a Lambda function to call the
modify_managed_prefix_list
API that can be triggered by Amazon EventBridge when updating the CIDR blocks.
- Leverage AWS Firewall Manager to create a common security group policy. Select the security groups previously created as the primary group in the policy.
- Enable Route 53 Application Recovery Controller (Route 53 ARC) in the AWS account. Create a Recovery Control Panel to define the routing control states and configurations of the CIDR ranges of each business unit or company site. Define routing control states within the RCP to indicate how traffic should be routed. Enable Zonal Shift functionality in Route 53 ARC to shift traffic from one set of resources to another with the defined CIDR ranges.