exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 139 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 139
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket examplebucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only.
What should the Security Engineer do to achieve this?

  • A. Use envelope encryption with the AWS-managed CMK aws/s3.
  • B. Create a customer-managed CMK with a key policy granting ג€kms:Decryptג€ based on the ג€${aws:username}ג€ variable.
  • C. Create a customer-managed CMK for each user. Add each user as a key user in their corresponding key policy.
  • D. Change the applicable IAM policy to grant S3 access to ג€Resourceג€: ג€arn:aws:s3:::examplebucket/${aws:username}/*ג€
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
RaySmith
Highly Voted 3 years, 9 months ago
D to me
upvoted 13 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
Correct answer is D. Obviously all users are allowed to access KMS key and "kmsDecrypt" action. The point is to restrict action to the prefix that belong to each of them. Policy variable is for this case arn:aws:s3:::examplebucket/${aws:username}/
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
As per AWS documentation: If the IAM user and S3 bucket belong to the same AWS account, then you can grant the user access to a specific bucket folder using an IAM policy. As long as the bucket policy doesn't explicitly deny the user access to the folder, you don't need to update the bucket policy if access is granted by the IAM policy. You can add the IAM policy to individual IAM users, or you can attach the IAM policy to an IAM role that multiple users can switch to. Answer D
upvoted 2 times
...
roguecloud
2 years, 4 months ago
Selected Answer: D
D for me. Found this on another site which had B marked as correct answer. hmm Really appreciate that we have the discussions here!
upvoted 2 times
...
hubekpeter
2 years, 7 months ago
Selected Answer: D
In case of B, you need to re-encrypt the data, which can be costly. The bucket already exists, therefore D is more appropriate in this case.
upvoted 3 times
...
bobsmith2000
2 years, 10 months ago
Selected Answer: B
B and D make sense. For B look up the following link: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html We can utilize kms:EncryptionContext for adding IAM variables such as aws:username. CMK allows centralized access control and if it's not explicitly allowed in a key policy, v the request it's gonna be denied. (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html). So there's no way to allow access to s3 objects if it's not allowed in the key policy. D. It's workable solution, but we ALLOW access. So any user can extend their privs by adding another policy for the entire bucket. There's no key policies involved due to amazon managed keys.
upvoted 1 times
...
sapien45
2 years, 10 months ago
Selected Answer: D
https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/ You can do this by using policy variables, which allow you to specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the request itself. This example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:
upvoted 1 times
...
Rja148393
2 years, 11 months ago
Selected Answer: D
D- this examples is given here https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
upvoted 1 times
...
dcasabona
2 years, 11 months ago
Selected Answer: D
agree on D.
upvoted 1 times
...
network_zeal
3 years, 6 months ago
D looks best but does it assume that the folder path has to follow a certain pattern that contains user name in it ? What if the path to be provided access does not have this pattern set ?
upvoted 3 times
...
pfilourenco
3 years, 8 months ago
D is correct if the folder have the name of the user.
upvoted 2 times
...
kiev
3 years, 8 months ago
D for me
upvoted 1 times
...
skipbaylessfor3
3 years, 8 months ago
Looks like it is D: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html Scroll down a bit to the section labeled "Allowing each IAM user access to a folder in a bucket" and it explains how you can use the ${aws:username} policy variable to restrict users to their assigned folders only
upvoted 2 times
...
sanjaym
3 years, 9 months ago
I'll go with D
upvoted 2 times
...
AWS_Noob_007
3 years, 9 months ago
I don't think it is D. Question is asking for folder level restriction. You cannot do this with IAM policy - only S3 ACL.
upvoted 1 times
DerekKey
3 years, 8 months ago
WRONG - https://aws.amazon.com/premiumsupport/knowledge-center/s3-folder-user-access/
upvoted 1 times
...
...
pitz
3 years, 9 months ago
d for me
upvoted 2 times
...
gfhbox0083
3 years, 9 months ago
D, for sure
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...