How would you implement a data lake with strong security and fine-grained access controls?

• A. EBS encryption with IAM policies
• B. S3 with Lake Formation and IAM/policy controls, enable SSE-KMS, and Lake Formation grants
• C. Glacier with access control lists
• D. RDS encryption features

Answer: (B)

At the heart of a secure data lake is centralized governance over who can access which data, across large scale, while keeping data encrypted at rest and in transit. Using S3 as the durable storage backbone provides scalable object storage, and Lake Formation adds a single control plane to define and enforce fine-grained permissions on databases, tables, and even specific columns or rows, independent of the underlying S3 objects. When you combine this with IAM for identity and policy management and enable server-side encryption with SSE-KMS, you get strong encryption at rest plus key-based access controls that are auditable and easy to rotate. Lake Formation works with the Glue Data Catalog to drive governance decisions and uses grants to precisely control access, enabling least-privilege permissions for users and jobs while maintaining centralized oversight. The other options fall short for a data lake: encrypting EBS volumes covers only block storage for individual EC2 instances and doesn’t provide scalable, centralized data governance or fine-grained access; Glacier with ACLs offers archival storage with limited, coarse-grained access controls; RDS encryption features apply to structured relational databases, not to a scalable, multi-format data lake.