-
Question about accessing S3 bucket
updated 1 day, 23 hours ago
2 Members
·
6
Posts
-
Hi,
my topic is about this question:
A pharmaceutical firm must securely store confidential experimental data. The company manages user authentication through AWS IAM Identity Center and has assigned its R&D scientists to a dedicated group.
The firm wants to consolidate all research documents into a shared Amazon S3 bucket while ensuring that each scientist can only access files they own. In addition, the company wants monthly audit reports detailing which users accessed which documents.
What combination of steps will satisfy these requirements? (Select TWO.)
One of the possible answers is:
Create an S3 Access Point for each scientist with a resource policy restricting access to objects with matching prefixes. Enable S3 Server Access Logging and use Amazon QuickSight to visualize access patterns.
Why is this answer wrong?
Your explanation:
This option could only work for access control, it doesn’t provide the detailed monthly audit reports required. QuickSight is more suited for business intelligence than detailed access auditing.
Let’s talk about the first part of the answer (that QuickSight is not made for visualizing access patterns is clear for me). Why is this not correct?
One of the two correct answers is:
Create a custom IAM Identity Center role with a permission set granting access to the S3 bucket. Use an identity-based policy restricting data access to prefixes identified by each user’s tag, such as the
${aws:PrincipalTag/userNameID}/*condition.So why is this correct?
This answer “doesn’t provide the detailed monthly audit reports required” as well.
So the same argumentation applies for it, too, right?
Thank’s,
Chris
-
Hello ch34,
Thanks for the feedback.
The use of the IAM Identity Center, combined with an identity-based policy, allows for fine-grained access control. Specifically, the policy restricts access to only the files a user (scientist) is authorized to access by using tags. For example, the tag ${aws:PrincipalTag/userNameID}/* ensures that each user only has access to files they own (because each file is tagged with the user’s ID as part of the filename or metadata).
The IAM Identity Center and identity-based policy don’t directly generate audit reports, but they work in conjunction with other AWS services, like CloudTrail, to provide detailed logs. CloudTrail will log events for every access attempt, and these logs can then be queried with Athena to generate the required monthly audit reports. So, while the IAM Identity Center itself doesn’t generate the reports, it ensures that the correct user is granted access to the appropriate data in the first place, and the audit logs from CloudTrail will give you the detailed information required.
Here’s the distinction:
(IAM Identity Center) can be integrated with CloudTrail for access tracking. It ensures that each scientist has access to their own files, and the CloudTrail logs can then be queried to generate monthly reports.
(S3 Access Point + QuickSight) only addresses access control but lacks the direct capability to generate or track detailed access logs for auditing purposes. QuickSight is a data visualization tool, not an auditing tool.
QuickSight can take CloudTrail logs and turn them into reports or dashboards. However, QuickSight itself doesn’t generate or track the logs; it only visualizes data that’s already been collected. So, you’d need to query the CloudTrail logs (e.g., via Athena) and store them in a location that QuickSight can access (e.g., an S3 bucket or database). For more information, please refer to this.
I hope this helps! Let us know if you need further assistance.
Regards,
JR @ Tutorials Dojo -
Thank’s for your answer.
I’m not sure if we are talking about the same.
Using S3 access points are a valid way to make fine grained access control for this use case. This is not the problem with the answer, right? I could define several access points for each user/group and define the S3 prefix on which they apply and if they have read/write permissions. This would satisfy the requirement of “ensuring that each scientist can only access files they own”, right?
So only the requirment about logging which user accessed which files would still be open, right?
Using S3 Server access doesn’t tell me which user access which files, right? It just shows the http status code, time etc,….
That’s why this solution doesn’t work (besides QuickSight)?
If I’m using S3 access points can I log S3 events via CloudTrail? If yes, then S3 Access points + CloudTrail + Athena would be a valid solution?
Thank’s again,
Chris
-
Hi Chris,
A combination of S3 Access Points, CloudTrail, and Athena would indeed be a valid solution for this scenario. However, the inclusion of Server Access Logging and Amazon QuickSight makes it wrong.
Using CloudTrail is recommended for logging both bucket-level and object-level actions for Amazon S3 resources. –
https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html
QuickSight is primarily a visualization tool, not an auditing tool.
I hope this clears things up! Let me know if you have further questions or need more clarification.
Regards,
JR @ Tutorials Dojo
-
-
Thank’s,
this short summary clearifies it.
-
Thanks, Chris! Let us know if you need further assistance.
-
Log in to reply.