SAP-C02 第 306 题
题目
A research center is migrating to the AWS Cloud and has moved its on-premises 1 PB object storage to an Amazon S3 bucket. One hundred scientists are using this object storage to store their work-related documents. Each scientist has a personal folder on the object store. All the scientists are members of a single IAM user group. The research center's compliance officer is worried that scientists will be able to access each other's work. The research center has a strict obligation to report on which scientist accesses which documents. The team that is responsible for these reports has little AWS experience and wants a ready-to-use solution that minimizes operational overhead. Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)
中文翻译:
一家研究中心正在迁移到 AWS 云,并将其本地 1 PB 对象存储迁移到 Amazon S3 存储桶。一百名科学家正在使用此对象存储来存储他们的工作相关文档。每个科学家在对象存储上都有一个个人文件夹。所有科学家都是同一个 IAM 用户组的成员。该研究中心的合规官员担心科学家们将能够访问彼此的工作成果。研究中心有严格的义务报告哪些科学家访问了哪些文件。负责这些报告的团队几乎没有 AWS 经验,并且需要一个现成的解决方案来最大限度地减少运营开销。解决方案架构师应该采取哪些操作组合来满足这些要求? (选择两个。)
选项
A. Create an identity policy that grants the user read and write access. Add a condition that specifies that the S3 paths must be prefixed with $(aws:username). Apply the policy on the scientists’ IAM user group.
中文翻译:
创建授予用户读写访问权限的身份策略。添加一个条件,指定 S3 路径必须以 $(aws:username) 为前缀。将策略应用于科学家的 IAM 用户组。
B. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket. Store the trail output in another S3 bucket. Use Amazon Athena to query the logs and generate reports.
中文翻译:
使用 AWS CloudTrail 配置跟踪以捕获 S3 存储桶中的所有对象级事件。将跟踪输出存储在另一个 S3 存储桶中。使用 Amazon Athena 查询日志并生成报告。
C. Enable S3 server access logging. Configure another S3 bucket as the target for log delivery. Use Amazon Athena to query the logs and generate reports.
中文翻译:
启用 S3 服务器访问日志记录。配置另一个S3存储桶作为日志传送的目标。使用 Amazon Athena 查询日志并生成报告。
D. Create an S3 bucket policy that grants read and write access to users in the scientists’ IAM user group.
中文翻译:
创建一个 S3 存储桶策略,向科学家的 IAM 用户组中的用户授予读写访问权限。
E. Configure a trail with AWS CloudTrail to capture all object-level events in the S3 bucket and write the events to Amazon CloudWatch. Use the Amazon Athena CloudWatch connector to query the logs and generate reports.
中文翻译:
使用 AWS CloudTrail 配置跟踪以捕获 S3 存储桶中的所有对象级事件并将这些事件写入 Amazon CloudWatch。使用 Amazon Athena CloudWatch 连接器查询日志并生成报告。
答案
AB
解析
正确答案:AB 解析: 本题应选择 AB。 正确选项: A. 创建授予用户读写访问权限的身份策略。添加一个条件,指定 S3 路径必须以 $(aws:username) 为前缀。将策略应用于科学家的 IAM 用户组。 B. 使用 AWS CloudTrail 配置跟踪以捕获 S3 存储桶中的所有对象级事件。将跟踪输出存储在另一个 S3 存储桶中。使用 Amazon Athena 查询日志并生成报告。 选择理由: 该选项最直接地满足题干中的...