SAP-C02 第 101 题
题目
A company is running applications on AWS in a multi-account environment. The company's sales team and marketing team use separate AWS accounts in AWS Organizations. The sales team stores petabytes of data in an Amazon S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The marketing team needs access to data that the sates team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key. The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts. Which solution will meet these requirements with the LEAST operational overhead?
中文翻译:
一家公司正在 AWS 上的多账户环境中运行应用程序。该公司的销售团队和营销团队在 AWS Organizations 中使用单独的 AWS 账户。销售团队在 Amazon S3 存储桶中存储 PB 级的数据。营销团队使用 Amazon QuickSight 进行数据可视化。营销团队需要访问国家团队存储在 S3 存储桶中的数据。该公司已使用 AWS Key Management Service (AWS KMS) 密钥对 S3 存储桶进行加密。营销团队已为 QuickSight 创建 IAM 服务角色,以在营销 AWS 账户中提供 QuickSight 访问权限。该公司需要一种解决方案,能够跨 AWS 账户安全地访问 S3 存储桶中的数据。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales account to copy the objects to the new S3 bucket in the marketing account. Update the QuickSight permissions in the marketing account to grant access to the new S3 bucket.
中文翻译:
在营销帐户中创建一个新的 S3 存储桶。在销售账户中创建 S3 复制规则,以将对象复制到营销账户中的新 S3 存储桶。更新营销帐户中的 QuickSight 权限以授予对新 S3 存储桶的访问权限。
B. Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS Resource Access Manager (AWS RAM) to share the KMS key from the sates account with the marketing account. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.
中文翻译:
创建 SCP 以向营销帐户授予对 S3 存储桶的访问权限。使用 AWS Resource Access Manager (AWS RAM) 与营销账户共享 sates 账户中的 KMS 密钥。更新营销帐户中的 QuickSight 权限以授予对 S3 存储桶的访问权限。
C. Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.
中文翻译:
更新营销帐户中的 S3 存储桶策略以授予对 QuickSight 角色的访问权限。为 S3 存储桶中使用的加密密钥创建 KMS 授权。向 QuickSight 角色授予解密访问权限。更新营销帐户中的 QuickSight 权限以授予对 S3 存储桶的访问权限。
D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight rote, to create a trust relationship with the new IAM role in the sales account.
中文翻译:
在销售账户中创建 IAM 角色并授予对 S3 存储桶的访问权限。从营销账户中,承担销售账户中的 IAM 角色以访问 S3 存储桶。更新 QuickSight 死记硬背,以与销售账户中的新 IAM 角色创建信任关系。
答案
D
解析
正确答案:D 解析: 本题应选择 D。 正确选项: D. 在销售账户中创建 IAM 角色并授予对 S3 存储桶的访问权限。从营销账户中,承担销售账户中的 IAM 角色以访问 S3 存储桶。更新 QuickSight 死记硬背,以与销售账户中的新 IAM 角色创建信任关系。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性...