Skip to main content
  1. Home
  2. >
  3. AWS
  4. >
  5. SAA-C03
  6. >
  7. This article

AWS SAA Drill: Multi-Source Visualization - The Access Control Trade-off Analysis

·723 words·4 mins·
Architecture Drills Cloud Provider (AWS) SAA FinOps Decision Matrix Amazon QuickSight AWS Glue Amazon Athena
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AWS Certified Solutions Architect - Associate (SAA) exam, many candidates get confused by how to securely provide consolidated reporting across multiple data sources. In the real world, this is fundamentally a decision about balancing centralized analytics with strict access controls and operational simplicity. Let’s drill into a simulated scenario.

The Scenario
#

Imagine you are the cloud architect for DataVision Analytics, a mid-sized analytics consulting firm. DataVision hosts their enterprise data lake on AWS, which includes raw and processed data stored in Amazon S3, as well as transactional customer data stored in an Amazon RDS for PostgreSQL instance. DataVision’s management team wants to have full, interactive data visualization reports combining all data sources, but other employees should only have limited or no access to sensitive dashboards.

Key Requirements
#

Provide a cost-effective, scalable solution that enables consolidated data visualization across the S3 data lake and PostgreSQL database while maintaining strict access control so only the management team has full dashboard access, and others have restricted or read-only views.

The Options
#

  • A) In Amazon QuickSight, create analyses connecting to all data sources and build new datasets. Publish dashboards for data visualization and share them with the appropriate IAM roles for access control.
  • B) In Amazon QuickSight, create analyses connecting all data sources and build new datasets. Publish dashboards and share them with specific QuickSight users and groups to manage different access levels.
  • C) Create AWS Glue tables and crawlers over S3 data, build AWS Glue ETL jobs to generate reports, publish reports to an S3 bucket, and use bucket policies to restrict access to reports.
  • D) Create AWS Glue tables and crawlers on S3 data, use Amazon Athena to run federated queries combining S3 data and RDS PostgreSQL data, generate reports via Athena and publish to S3, securing access with bucket policies.

Correct Answer
#

B.

The Architect’s Analysis
#

Correct Answer
#

Option B

Step-by-Step Winning Logic
#

Option B leverages Amazon QuickSight’s native user and group sharing features, which provide fine-grained access control at the dashboard level. This matches the requirement: management gets full interactive access, and other employees can be assigned limited rights using built-in groups. QuickSight seamlessly connects to both Amazon S3 and Amazon RDS data sources, enabling consolidated visualizations without additional data movement or ETL overhead. This reduces operational complexity and cost.

In comparison, Option A’s reliance on sharing dashboards through IAM roles is less common practice in QuickSight and does not provide fine-grained user or group control, limiting security and usability. Options C and D involve building custom ETL or Athena queries, which add processing cost, latency, and complexity without strong native access control on interactive reporting. Publishing static reports to S3 also reduces user experience.

Hence, Option B offers the best balance of ease of use, security, cost-effectiveness, and user experience for the use case.

The Traps (Distractor Analysis)
#

  • Why not A? Sharing QuickSight dashboards by IAM roles is not typical—roles are for backend permissions, not granular user dashboard control. This approach is cumbersome to manage and less secure.
  • Why not C? Running custom Glue ETL jobs to generate reports leads to extra compute cost and complexity. It also delivers static reports with no interactivity and requires careful permissions management on S3.
  • Why not D? Athena federated queries provide flexible data access but do not solve the access control problem elegantly for interactive dashboards. Similar cost and operational concerns as C apply.

The Architect Blueprint
#

graph TD ManagementTeam([Management Team]) Employees([Other Employees]) QuickSightUsers([QuickSight Users & Groups]) S3DataLake([Amazon S3 Data Lake]) PostgresDB([Amazon RDS PostgreSQL]) QuickSightDashboards([QuickSight Dashboards]) S3DataLake --> QuickSightDashboards PostgresDB --> QuickSightDashboards QuickSightDashboards --> QuickSightUsers QuickSightUsers --> ManagementTeam QuickSightUsers --> Employees style QuickSightDashboards fill:#f9f,stroke:#333,stroke-width:2px

Diagram Note:
This diagram illustrates the interaction where QuickSight dashboards ingest data from both S3 and RDS PostgreSQL, then dashboards are shared securely via QuickSight users and groups to different company roles with segregated permissions.

Real-World Practitioner Insight
#

Exam Rule
#

For the AWS SAA exam, always pick Amazon QuickSight for interactive business intelligence when the requirement includes multiple AWS-native data sources and differentiated user access.

Real World
#

In production, data teams might combine QuickSight with column-level and row-level security, or augment with Athena views for complex queries. For massive datasets, consider Redshift Spectrum or external tools, but QuickSight’s native user management keeps FinOps costs predictable.

Related Articles