Amazon Exam SCS-C02 Topic 5 Question 20 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 20
Topic #: 5

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

AThe S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

BThe object ACLs are not being updated to allow the users within the centralized account to access the objects

CThe Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

DThe s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Show Suggested Answer

Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.

by Cristen at May 31, 2024, 06:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Viola

1 days ago

I think the Security Engineer is unable to access the log files because the S3 bucket policy does not explicitly allow access.

upvoted 0 times

...