Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 55 discussion

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account.
The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy. Each EC2 instance is associated with an instance profile role that has a policy that explicitly allows the s3:GetObject action and the s3:PutObject action for only the required S3 buckets.
The company learns that one or more of the EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. A security engineer must implement a solution to stop this exfiltration of data and to keep the EC2 processing job functional.
Which solution will meet these requirements?

  • A. Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
  • B. Update the policy on the instance profile role to allow the S3 actions only if the value of the aws:ResourceOrgID condition key matches the company's value.
  • C. Add a network ACL rule to the subnet of the EC2 instances to block outgoing connections on port 443.
  • D. Apply an SCP on the AWS account to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
Show Suggested Answer Hide Answer
Suggested Answer: B ūüó≥ÔłŹ

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
kejam
Highly Voted 7 months, 1 week ago
Selected Answer: D
Answer D based on the syntax of these answers. A. This could work, but you don't need aws:ResourceOrgID and aws:PrincipalOrgID You can add allowed buckets (internal or external) as needed which is much more flexible IMO. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#edit-vpc-endpoint-policy-s3 B. This doesn't prevent S3 actions on external accounts. C. This does nothing as the S3 endpoint is inside the VPC. D. This solution matches the answer exactly. Example 3: https://aws.amazon.com/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
upvoted 10 times
NoCrapEva
4 months, 1 week ago
Also the question states the company has AWS Organisations - therefore any policy restrictions SHOULD be done at the Organisation level - In this case with a SCP
upvoted 1 times
...
AgboolaKun
7 months, 1 week ago
I agree totally. I have always thought that D is the correct answer but I could not locate any supported documentation online. Thank you for providing the link. The example 3 in the link as you pointed out tallies with the scenario in this question.
upvoted 1 times
...
Raphaello
4 months ago
In fact Example 3 Restrict access to AWS resources (in this case S3) within my organization, which means denying access from principals (e.g. EC2 instance roles) that do not belong to S3 Org. That example does not correspond to what we need to do here! "Deny", "Action": "s3:*", "Resource": "arn:aws:s3:::*/*", "Condition": { "StringNotEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}"} Note the "PrincipalOrgID" is a variable. Whereas, we basically want our own EC2 instances not to access S3 that belong to another account. "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::*/*", "Condition": {"StringEquals": {"aws:PrincipalOrgID": [ "o-yyyyyyyyyy" ]} Or maybe even add an explicit deny statement if the "aws:ResourceOrgID" does not equal my Org ID "0-yyyyyyyyyy".
upvoted 1 times
...
...
100fold
Highly Voted 8 months ago
D https://aws.amazon.com/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
upvoted 6 times
...
icecool36
Most Recent 1 month, 2 weeks ago
Selected Answer: D
SCP is the right choice. Not B: This is only effective if the nodes are replaced. The processing must not be interupted. Not A: THis does not do anything against the exfiltration Not C: THis will not work
upvoted 1 times
...
9bb8cb3
1 month, 4 weeks ago
Selected Answer: A
Blocking at the network layer would allow you still have other workloads that can talk to other buckets outside of the account whereas the option D as others have suggested would mean no workload in the account would ever be able to talk to a bucket outside the org which is IMO too restrictive and the solution is not asking for a general solution just to this specific problem. You can also create additional VPC endpoints and bound them to other route tables which don't have this policy as to allow for other architectural possibilities mentioned above,
upvoted 1 times
...
ion_gee
2 months, 2 weeks ago
The correct answer should be B, as it directly addresses the issue. Option D seems too broad, and might affect other roles in the Account.
upvoted 1 times
...
Noexperience
3 months, 3 weeks ago
Selected Answer: B
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-name/*", // Specific buckets to restrict "arn:aws:s3:::another-bucket/*" ], "Condition": { "StringEquals": { "aws:ResourceOrgID": "YOUR_AWS_ORGANIZATION_ID" } } } ] }
upvoted 1 times
...
bkbaws
3 months, 3 weeks ago
Selected Answer: A
the EC2 role S3 GET/PUT are restricted to the appropriate buckets, so the exfiltration bucket access is being granted by the default S3 gateway resource policy. Hence restricting the EC2 attached IAM role to the given organization (B) will do nothing and B is incorrect. C would break everything. For (D) - SCPs don't apply to resource policies, so exfiltration would continue through the S3 gateway. Answer is A
upvoted 1 times
...
Raphaello
4 months, 1 week ago
Selected Answer: B
The problem is that EC2 instance exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. So we need to make sure those instance cannot put the data to an external account's bucket. Therefore, we need to restrict access ONLY to resources within an organization using condition "aws:ResourceOrgID". Remember, it is not about controlling access to our own S3 bucket. It is about stopping EC2 instances from exfiltrate our data to accounts outside our Org. Option B is the correct answer.
upvoted 1 times
...
LazyAutonomy
4 months, 2 weeks ago
Selected Answer: A
Answer is A. D is wrong because attackers wont use EC2 instance credentials to exfil data - no attacker is that stupid.
upvoted 1 times
LazyAutonomy
4 months, 2 weeks ago
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#edit-vpc-endpoint-policy-s3 https://developer.squareup.com/blog/adopting-aws-vpc-endpoints-at-square/
upvoted 1 times
...
...
mark16dc
4 months, 2 weeks ago
Given the effectiveness and direct impact on preventing data exfiltration to external S3 buckets, Option D is the correct solution. It leverages the organizational control provided by AWS Organizations to enforce policy restrictions at the account level, ensuring that S3 actions are confined to the company's organizational boundaries, thus meeting the security requirements without disrupting the EC2 processing jobs.
upvoted 1 times
...
RNan
5 months, 2 weeks ago
Answer: B The compromised EC2 instances are exfiltrating data to an S3 bucket outside the company's organization. By updating the policy on the instance profile role, you can restrict the S3 actions to only allow access to the required S3 buckets within the company's organization.
upvoted 1 times
...
Daniel76
5 months, 3 weeks ago
Selected Answer: D
Between A and D, A must be ruled out because: "An endpoint policy does not override or replace identity-based policies or resource-based policies. " So, either the compromised ec2 instance or the external s3 can override the endpoint policy. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
upvoted 1 times
...
DebbieB67
5 months, 3 weeks ago
Selected Answer: D
Answer D
upvoted 1 times
...
yorkicurke
6 months ago
Selected Answer: A
This ensures that only resources from within the company's AWS Organization can access the S3 bucket through the endpoint. This prevents any exfiltration of data from compromised EC2 instances to external S3 buckets, while STILL allowing the processing job on the instances to function normally by accessing the company's internal S3 resources through the private endpoint. https://repost.aws/questions/QU2Qx3s51DQ9SyrlWueh9L_Q/restrict-access-to-s3-bucket
upvoted 1 times
...
Oralinux
6 months, 1 week ago
Answer B
upvoted 1 times
...
1c7c461
6 months, 1 week ago
Selected Answer: B
The answer is B. You all missed the part that EC2 instance is compromised. The restriction has to be added to the instance profile of the ec2 instance to restrict which S3 buckets it can connect to. This question is about limiting access from EC2 to external S3 buckets.
upvoted 5 times
...
WeepingMaplte
6 months, 1 week ago
Selected Answer: A
I will go with A although D is also a possible method.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...