Which steps will satisfy the security requirements for allowing access to sensitive data stored in Amazon S3 for an EMR cluster?

• A. Create a service role that grants no access to Amazon S3.
• B. Create IAM roles for each team that grant access to their specific bucket.
• C. Add IAM roles to the cluster's EMR role for the EC2 trust policy.
• D. Create a security configuration mapping for IAM roles to Active Directory user groups.

Answer: (B)

Creating IAM roles for each team that grant access to their specific bucket is the most effective method for managing access to sensitive data stored in Amazon S3 for an EMR cluster. This approach allows for fine-grained access control, ensuring that only authorized users have access to the specific datasets they require. By mapping teams to their respective S3 buckets via IAM roles, organizations can maintain strong security practices while facilitating collaboration among teams.

This method adheres to the principle of least privilege, where users only receive the minimum level of access necessary to perform their tasks. Additionally, managing access on a per-team basis allows for easier auditing and management of permissions as team members change or evolve.

The other approaches would not meet the security requirements effectively. Options that involve disabling access or general roles might lead to unintentional exposure of sensitive data or administrative overhead in managing permissions, which can be avoided with well-defined IAM roles tailored to each team's needs.