Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C01 Topic 1 Question 50 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 50
Topic #: 1
[All SCS-C01 Questions]

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.

The security team is unable to get objects from the S3 bucket

Which factors could cause this issue? (Select THREE.)

Show Suggested Answer Hide Answer
Suggested Answer: A, D, E

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

To get objects from an S3 bucket that are encrypted with a KMS customer managed key, the security team needs to have the following factors in place:

The IAM instance profile that is attached to the EC2 instance must allow the s3:GetObject action to the S3 bucket or object in the AWS account. This permission is required to read the object from S3. Option A is incorrect because it specifies the s3:ListBucket action, which is only required to list the objects in the bucket, not to get them.

The KMS key policy that encrypts the object in the S3 bucket must allow the kms:Decrypt action to the EC2 instance profile ARN. This permission is required to decrypt the object using the KMS key. Option D is correct.

The security group that is attached to the EC2 instance must have an outbound rule to the S3 managed prefix list over port 443. This rule is required to allow HTTPS traffic from the EC2 instance to S3 within the AWS infrastructure. Option E is correct. Option B is incorrect because it specifies the s3:ListParts action, which is only required for multipart uploads, not for getting objects. Option C is incorrect because it specifies the kms:ListKeys action, which is not required for getting objects. Option F is incorrect because it specifies an inbound rule from the S3 managed prefix list, which is not required for getting objects. Verified Reference:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html


Contribute your Thoughts:

Arminda
8 months ago
Absolutely. Gotta cover all the bases here. I bet the security team is kicking themselves for not double-checking those security group rules. Rookie mistake, am I right? *chuckles*
upvoted 0 times
Lacey
7 months ago
Learning from mistakes is all part of the process in improving security measures.
upvoted 0 times
...
Maryann
7 months ago
They'll make sure to review all the security configurations next time.
upvoted 0 times
...
Willetta
8 months ago
Yeah, the security team will definitely learn from this mistake.
upvoted 0 times
...
Rozella
8 months ago
Absolutely. It's better to be safe than sorry when it comes to securing data.
upvoted 0 times
...
Theodora
8 months ago
I agree. Security should always be a top priority, especially with sensitive data.
upvoted 0 times
...
Vallie
8 months ago
For sure. One simple misconfiguration can cause a lot of headaches.
upvoted 0 times
...
Val
8 months ago
Yeah, definitely. It's always important to double-check those security group rules.
upvoted 0 times
...
...
Rima
8 months ago
Totally. And don't forget about the security group rules. Even if the permissions are set up correctly, if the security group is missing the outbound rule to the S3 managed prefix list, that could also be a problem.
upvoted 0 times
...
Aracelis
8 months ago
Yeah, I agree. The IAM permissions and KMS key policy are critical. If the instance profile doesn't have the right ListBucket and Decrypt actions, that could definitely cause the issue. I'd start there.
upvoted 0 times
...
Leonor
8 months ago
Hmm, this question seems pretty straightforward. I think the key issues here are around the IAM permissions and the KMS key policy. We definitely need to make sure the EC2 instance has the right permissions to list the S3 bucket and decrypt the objects using the KMS key.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77