Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon Exam SCS-C01 Topic 2 Question 57 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 57
Topic #: 2
[All SCS-C01 Questions]

Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?

Please select:

Show Suggested Answer Hide Answer
Suggested Answer: A, D, E

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

To get objects from an S3 bucket that are encrypted with a KMS customer managed key, the security team needs to have the following factors in place:

The IAM instance profile that is attached to the EC2 instance must allow the s3:GetObject action to the S3 bucket or object in the AWS account. This permission is required to read the object from S3. Option A is incorrect because it specifies the s3:ListBucket action, which is only required to list the objects in the bucket, not to get them.

The KMS key policy that encrypts the object in the S3 bucket must allow the kms:Decrypt action to the EC2 instance profile ARN. This permission is required to decrypt the object using the KMS key. Option D is correct.

The security group that is attached to the EC2 instance must have an outbound rule to the S3 managed prefix list over port 443. This rule is required to allow HTTPS traffic from the EC2 instance to S3 within the AWS infrastructure. Option E is correct. Option B is incorrect because it specifies the s3:ListParts action, which is only required for multipart uploads, not for getting objects. Option C is incorrect because it specifies the kms:ListKeys action, which is not required for getting objects. Option F is incorrect because it specifies an inbound rule from the S3 managed prefix list, which is not required for getting objects. Verified Reference:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html


by Hubert at Apr 10, 2024, 06:32 PM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Leigha
10 months ago
Actually, I believe options C and D are also important to consider. The KMS key policy could be preventing access.
upvoted 0 times
...
Bok
10 months ago
I agree with Josue. The IAM instance profile and security group rules seem like common causes of such issues.
upvoted 0 times
...
Josue
11 months ago
I think options A, E, and F could be causing the issue.
upvoted 0 times
...
Brigette
11 months ago
I also think the missing outbound rule in the security group could be causing the issue.
upvoted 0 times
...
Heike
11 months ago
Yeah, I agree. That could definitely be one of the factors causing the problem.
upvoted 0 times
...
Audra
11 months ago
I think the issue could be because the IAM instance profile does not allow the s3 ListBucket action.
upvoted 0 times
...
Aileen
1 years ago
Haha, I bet the security team is pulling their hair out trying to figure this one out. I'm guessing they've already checked the obvious stuff, like the security group and IAM permissions.
upvoted 0 times
Yvonne
10 months ago
Maybe they missed setting up the outbound rule in the security group?
upvoted 0 times
...
Yvonne
11 months ago
I agree, they should also review the KMS key policy to see if there are any restrictions.
upvoted 0 times
...
Yvonne
11 months ago
Yep, they probably need to double-check the IAM instance profile permissions.
upvoted 0 times
...
...
Valda
1 years ago
Yeah, we need to make sure the instance profile has the necessary permissions to interact with the S3 bucket and the KMS key.
upvoted 0 times
Jaleesa
12 months ago
E) The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.
upvoted 0 times
...
Josue
12 months ago
C) The KMS key policy that encrypts the object in the S3 bucket does not allow the kms ListKeys action to the EC2 instance profile ARN.
upvoted 0 times
...
Lou
12 months ago
A) The IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3 bucket in the AWS accounts.
upvoted 0 times
...
...
Jaime
1 years ago
Hmm, yeah, the KMS key policy is a good point. And don't forget about the security group - it might be missing the right rules to allow the traffic to and from S3.
upvoted 0 times
...
Alesia
1 years ago
Ah, I see. The IAM instance profile and the KMS key policy are likely the culprits here.
upvoted 0 times
...
Daniel
1 years ago
You're probably right, they've likely gone through the basics. But you know what they say, 'the devil is in the details' when it comes to AWS security.
upvoted 0 times
...
Maile
1 years ago
That's a good point. We need to focus on the permissions and configurations within the AWS environment.
upvoted 0 times
...
Basilia
1 years ago
Wow, this is a tricky one. Let's see, we need to select three factors that could be causing the issue. I'm guessing the IAM instance profile permissions might be the culprit, since the team is unable to get objects from the S3 bucket.
upvoted 0 times
...
Taryn
1 years ago
The key thing here is that the traffic is restricted to the AWS infrastructure, so the public internet is not an issue.
upvoted 0 times
...
Ligia
1 years ago
Hmm, let's think this through step-by-step. I'm confident we can figure this out.
upvoted 0 times
...
Vanda
1 years ago
Oh, this question seems tricky. I'm not sure if I would be able to get the right answer on the first try.
upvoted 0 times
...

Save Cancel