ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 55 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 55
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account.
The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy. Each EC2 instance is associated with an instance profile role that has a policy that explicitly allows the s3:GetObject action and the s3:PutObject action for only the required S3 buckets.
The company learns that one or more of the EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. A security engineer must implement a solution to stop this exfiltration of data and to keep the EC2 processing job functional.
Which solution will meet these requirements?

  • A. Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
  • B. Update the policy on the instance profile role to allow the S3 actions only if the value of the aws:ResourceOrgID condition key matches the company's value.
  • C. Add a network ACL rule to the subnet of the EC2 instances to block outgoing connections on port 443.
  • D. Apply an SCP on the AWS account to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by 100fold at Oct. 21, 2023, 1:45 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kejam
Highly Voted 1 year, 8 months ago
Selected Answer: D
Answer D based on the syntax of these answers. A. This could work, but you don't need aws:ResourceOrgID and aws:PrincipalOrgID You can add allowed buckets (internal or external) as needed which is much more flexible IMO. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#edit-vpc-endpoint-policy-s3 B. This doesn't prevent S3 actions on external accounts. C. This does nothing as the S3 endpoint is inside the VPC. D. This solution matches the answer exactly. Example 3: https://aws.amazon.com/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
upvoted 15 times
NoCrapEva
1 year, 5 months ago
Also the question states the company has AWS Organisations - therefore any policy restrictions SHOULD be done at the Organisation level - In this case with a SCP
upvoted 2 times
...
AgboolaKun
1 year, 7 months ago
I agree totally. I have always thought that D is the correct answer but I could not locate any supported documentation online. Thank you for providing the link. The example 3 in the link as you pointed out tallies with the scenario in this question.
upvoted 1 times
...
Raphaello
1 year, 4 months ago
In fact Example 3 Restrict access to AWS resources (in this case S3) within my organization, which means denying access from principals (e.g. EC2 instance roles) that do not belong to S3 Org. That example does not correspond to what we need to do here! "Deny", "Action": "s3:*", "Resource": "arn:aws:s3:::*/*", "Condition": { "StringNotEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"} Note the "PrincipalOrgID" is a variable. Whereas, we basically want our own EC2 instances not to access S3 that belong to another account. "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::*/*", "Condition": {"StringEquals": {"aws:PrincipalOrgID": [ "o-yyyyyyyyyy" ]} Or maybe even add an explicit deny statement if the "aws:ResourceOrgID" does not equal my Org ID "0-yyyyyyyyyy".
upvoted 1 times
...
...
1c7c461
Highly Voted 1 year, 6 months ago
Selected Answer: B
The answer is B. You all missed the part that EC2 instance is compromised. The restriction has to be added to the instance profile of the ec2 instance to restrict which S3 buckets it can connect to. This question is about limiting access from EC2 to external S3 buckets.
upvoted 6 times
...
b5f86df
Most Recent 1 month ago
Selected Answer: D
The company is using AWS organizations and the best method to apply a filter in the resources it’s through an SCP
upvoted 1 times
...
2f5c7cd
1 month, 1 week ago
Selected Answer: A
https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-resources-from-my-organization/#:~:text=The%20condition%20key%20used%20to,to%20implement%20the%20resource%20perimeter.&text=In%20the%20next%20section%2C%20you,objective%20of%20the%20resource%20perimeter.
upvoted 1 times
...
AWSLoverLoverLoverLoverLover
4 months, 2 weeks ago
Selected Answer: A
The correct answer is A. Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
upvoted 1 times
...
AWSLoverLoverLoverLoverLover
4 months, 3 weeks ago
Selected Answer: A
Why is updating the S3 Gateway Endpoint policy the best solution? S3 Gateway Endpoints control access at the VPC level, ensuring that all S3 traffic passes through a controlled path. By modifying the endpoint policy to allow access only to S3 buckets within the company's AWS Organization, we prevent data exfiltration to external S3 buckets. D. Apply an SCP to the AWS account SCPs apply only to IAM identities (users, roles, accounts) and do not affect VPC Gateway Endpoints. This means compromised instances can still exfiltrate data through the endpoint.
upvoted 1 times
...
IPLogic
7 months, 1 week ago
Selected Answer: A
To stop the exfiltration of data from compromised EC2 instances to external S3 buckets while keeping the EC2 processing job functional, the best solution is option A: Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values. This approach ensures that only resources and principals within the company's AWS Organization can perform S3 actions, effectively blocking any attempts to exfiltrate data to S3 buckets outside the organization. By updating the S3 gateway endpoint policy, you can enforce this restriction at the network level, providing a robust and centralized control mechanism
upvoted 3 times
...
mzeynalli
8 months ago
Selected Answer: A
Using Service Control Policies (SCPs) can be a part of a broader security strategy, but there are specific reasons why it may not be the most effective or immediate solution for the scenario where EC2 instances are compromised and exfiltrating data to an S3 bucket outside the company's organization: 1. Scope of SCPs: SCPs are designed to manage permissions across AWS Organizations. They apply to AWS accounts rather than individual resources. If the compromised instances are operating under an IAM role that has certain permissions, an SCP may not have the granularity needed to effectively restrict access at the resource level.
upvoted 3 times
...
jakie22332
8 months, 1 week ago
Selected Answer: B
https://aws.amazon.com/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
upvoted 1 times
...
icecool36
1 year, 2 months ago
Selected Answer: D
SCP is the right choice. Not B: This is only effective if the nodes are replaced. The processing must not be interupted. Not A: THis does not do anything against the exfiltration Not C: THis will not work
upvoted 1 times
...
9bb8cb3
1 year, 2 months ago
Selected Answer: A
Blocking at the network layer would allow you still have other workloads that can talk to other buckets outside of the account whereas the option D as others have suggested would mean no workload in the account would ever be able to talk to a bucket outside the org which is IMO too restrictive and the solution is not asking for a general solution just to this specific problem. You can also create additional VPC endpoints and bound them to other route tables which don't have this policy as to allow for other architectural possibilities mentioned above,
upvoted 4 times
...
ion_gee
1 year, 3 months ago
The correct answer should be B, as it directly addresses the issue. Option D seems too broad, and might affect other roles in the Account.
upvoted 2 times
...
Noexperience
1 year, 4 months ago
Selected Answer: B
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-name/*", // Specific buckets to restrict "arn:aws:s3:::another-bucket/*" ], "Condition": { "StringEquals": { "aws:ResourceOrgID": "YOUR_AWS_ORGANIZATION_ID" } } } ] }
upvoted 2 times
...
bkbaws
1 year, 4 months ago
Selected Answer: A
the EC2 role S3 GET/PUT are restricted to the appropriate buckets, so the exfiltration bucket access is being granted by the default S3 gateway resource policy. Hence restricting the EC2 attached IAM role to the given organization (B) will do nothing and B is incorrect. C would break everything. For (D) - SCPs don't apply to resource policies, so exfiltration would continue through the S3 gateway. Answer is A
upvoted 2 times
...
Raphaello
1 year, 5 months ago
Selected Answer: B
The problem is that EC2 instance exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. So we need to make sure those instance cannot put the data to an external account's bucket. Therefore, we need to restrict access ONLY to resources within an organization using condition "aws:ResourceOrgID". Remember, it is not about controlling access to our own S3 bucket. It is about stopping EC2 instances from exfiltrate our data to accounts outside our Org. Option B is the correct answer.
upvoted 1 times
...
LazyAutonomy
1 year, 5 months ago
Selected Answer: A
Answer is A. D is wrong because attackers wont use EC2 instance credentials to exfil data - no attacker is that stupid.
upvoted 2 times
LazyAutonomy
1 year, 5 months ago
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#edit-vpc-endpoint-policy-s3 https://developer.squareup.com/blog/adopting-aws-vpc-endpoints-at-square/
upvoted 1 times
...
...
mark16dc
1 year, 5 months ago
Given the effectiveness and direct impact on preventing data exfiltration to external S3 buckets, Option D is the correct solution. It leverages the organizational control provided by AWS Organizations to enforce policy restrictions at the account level, ensuring that S3 actions are confined to the company's organizational boundaries, thus meeting the security requirements without disrupting the EC2 processing jobs.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel