A company will create an Amazon EMR cluster for multiple teams. Each team’s workloads should have access only to the AWS services they need. The company also does not want workloads to be able to access the Instance Metadata Service Version 2 (IMDSv2) on the cluster EC2 instances. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create EMR runtime roles. Configure the cluster to use the runtime roles. Use the runtime roles to submit the big data workloads..
Why this is the answer
The correct solution is to create EMR runtime roles and configure the cluster to use them. EMR runtime roles allow you to define specific IAM roles for individual jobs or notebooks running on an EMR cluster. This provides fine-grained access control, ensuring each team's workload only accesses the AWS services it needs. Additionally, when runtime roles are used, EMR automatically configures the EC2 instances to block access to IMDSv1 and IMDSv2 from containers and processes running on the cluster, preventing unauthorized access to instance credentials. Configuring interface VPC endpoints for each service is not directly related to controlling access for individual workloads on the EMR cluster or blocking IMDSv2 access. Creating an EC2 IAM instance profile would apply the same permissions to all workloads on the instances, failing to meet the requirement for team-specific access. Setting EnableApplicationScopedIAMRole to false in an EMR security configuration would disable runtime roles, which is the opposite of what is needed to achieve fine-grained access and IMDSv2 protection.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed