A company uses Amazon Athena for one-time queries against data that is in Amazon S3. The company has several use cases. The company must implement permission controls to separate query processes and access to query history among users, teams, and applications that are in the same AWS account.
Which solution will meet these requirements?
Creating an Athena workgroup for each use case allows for isolation and management of different workloads, users, and permissions. This approach ensures that query processes and access to query history are separated effectively for each use case. By applying tags to the workgroups and creating IAM policies based on those tags, permissions can be managed in a more organized and simplified manner. This solution meets the requirements for permission controls across users, teams, and applications within the same AWS account.
Haha they copied this from the old DA Specialty. It's B https://docs.aws.amazon.com/athena/latest/ug/user-created-workgroups.html
B. Create an Athena workgroup for each use case. Apply tags to the workgroup. Create an IAM policy that uses the tags to apply appropriate permissions to the workgroup. Explanation: Athena workgroups allow you to isolate and manage different workloads, users, and permissions. By creating a separate workgroup for each use case, you can control access to query history, manage permissions, and enforce resource usage limits independently for each workload. Applying tags to workgroups allows you to categorize and organize them based on the use case, which simplifies policy management.
B is correct.
The only other answer that's confusing is C But its not the one. Creating separate IAM roles for each use case and associating them with Athena would not provide the necessary isolation and access control for query processes and query history.
B is more granular