A company has an Amazon Elastic File System (Amazon EFS) file system containing a reference dataset. EC2-based applications need to read the dataset but must not modify it. The company wants to use IAM access control to prevent the applications from modifying or deleting the dataset. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles attached to the EC2 instances..
Why this is the answer
The correct solution is to create a resource policy for the EFS file system that explicitly denies the elasticfilesystem:ClientWrite action to the IAM roles used by the EC2 instances. EFS resource policies (also known as EFS file system policies) are the primary way to manage access to an EFS file system at the file system level. By denying the ClientWrite action, you prevent any modifications or deletions, ensuring read-only access. Mounting the EFS file system in read-only mode from within the EC2 instances is a client-side control and can be bypassed or misconfigured. An identity policy for the EFS file system is not a standard AWS IAM concept; IAM policies are either identity-based (attached to users/roles) or resource-based (attached to resources). While an identity-based policy attached to the EC2 instance roles could deny write access, a resource policy on the EFS file system itself is a more robust and centralized control for this scenario. EFS access points primarily simplify application access for specific paths and users, but POSIX permissions alone might not be sufficient for a strong, centralized IAM-based denial of write access.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed