Create a custom IAM Identity Center permission set to grant the data scientists access to an S3 bucket prefix that matches their username tag. Use a policy to limit access to paths with the ${aws:PrincipalTag/userName>/" condition.

Create an IAM Identity Center role for the data scientist group that has Amazon S3 read access and write access. Add an S3 bucket policy that allows access to the IAM

Identity Center role.

Configure AWS CloudTrail to log S3 data events and deliver the logs to an S3 bucket. Use Amazon Athena to run queries on the CloudTrail logs in Amazon S3.

Configure AWS CloudTrail to log S3 management events to Amazon CloudWatch. Use the Amazon Athena CloudWatch connector to query the logs.

Enable S3 access logging to the EMR File System (EMRFS). Create an AWS Glue job to run queries on the access log data in EMRFS.