ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 645 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 645
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company has an application that generates reports and stores them in an Amazon bucket Amazon S3 bucket. When a user accesses their report, the application generates a signed URL to allow the user to download the report. The company's security team has discovered that the files are public and that anyone can download them without authentication. The company has suspended the generation of new reports until the problem is resolved.
Which set of action will immediately remediate the security issue without impacting the application's normal workflow?

  • A. Create an AWS Lambda function that applies all policy for users who are not authenticated. Create a scheduled event to invoke the Lambda function.
  • B. Review the AWS Trusted advisor bucket permissions check and implement the recommend actions.
  • C. Run a script that puts a Private ACL on all of the object in the bucket.
  • D. Use the Block Public Access feature in Amazon S3 to set the IgnorePublicAcis option to TRUE on the bucket.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by asldavid at Nov. 4, 2020, 2:59 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ebi
Highly Voted 3 years, 7 months ago
I'll go with D
upvoted 7 times
...
Waiweng
Highly Voted 3 years, 7 months ago
it's D
upvoted 6 times
user0001
3 years ago
from documentation Setting this option to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. This setting enables you to safely block public access granted by ACLs while still allowing PUT Object calls that include a public ACL (as opposed to BlockPublicAcls, which rejects PUT Object calls that include a public ACL). Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
upvoted 1 times
...
...
maxh8086
Most Recent 2 years, 5 months ago
https://aws.amazon.com/about-aws/whats-new/2018/02/aws-trusted-advisors-s3-bucket-permissions-check-is-now-free/ https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html#amazon-s3-bucket-permissions
upvoted 1 times
...
kangtamo
2 years, 11 months ago
Selected Answer: D
D sounds better.
upvoted 2 times
...
GeniusMikeLiu
3 years, 4 months ago
" The company's security staff determined that the files are accessible to the public and may be downloaded without authentication" mean want public access right? why D? so confused
upvoted 1 times
...
cldy
3 years, 6 months ago
D. Use the Block Public Access feature in Amazon S3 to set the IgnorePublicAcis option to TRUE on the bucket.
upvoted 2 times
...
AzureDP900
3 years, 6 months ago
D is right. The S3 bucket is allowing public access and this must be immediately disabled. Setting the IgnorePublicAcls option to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. The other settings you can configure with the Block Public Access Feature are: o BlockPublicAcls – PUT bucket ACL and PUT objects requests are blocked if granting public access. o BlockPublicPolicy – Rejects requests to PUT a bucket policy if granting public access. o RestrictPublicBuckets – Restricts access to principles in the bucket owners’ AWS account.
upvoted 2 times
...
andylogan
3 years, 7 months ago
It's D - pre-signed URL is to allows unauthenticated users access to the bucket in private
upvoted 2 times
...
tgv
3 years, 7 months ago
DDD ---
upvoted 1 times
...
WhyIronMan
3 years, 7 months ago
I'll go with D
upvoted 1 times
...
Kian1
3 years, 7 months ago
going with D
upvoted 5 times
...
Bulti
3 years, 8 months ago
Answer is D. Remember that the purpose of creating a pre-signed URL is to allows unauthenticated users access to the bucket or the objects in the bucket which are private. So if someone can still access the bucket then the buckets or the objects in the bucket have been granted a public ACL which needs to be blocked and the way to do that is by using the IgnorePublicAcls setting.
upvoted 4 times
...
petebear55
3 years, 8 months ago
B could be the answer .. however it would probably AWS Macie which does the needful. .. I will go for D in this case .. however i'm not hundred percent convinced and think the question is poorly written
upvoted 1 times
shammous
3 years, 7 months ago
B won't "immediately remediate the security issue". D would.
upvoted 2 times
...
...
T14102020
3 years, 8 months ago
Correct is D.
upvoted 1 times
...
jackdryan
3 years, 8 months ago
I'll go with D
upvoted 2 times
...
smartassX
3 years, 8 months ago
D --> "IgnorePublicAcis" --> "Setting this option to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. This setting enables you to safely block public access granted by ACLs while still allowing PUT Object calls that include a public ACL (as opposed to BlockPublicAcls, which rejects PUT Object calls that include a public ACL). Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set."
upvoted 4 times
...
asldavid
3 years, 8 months ago
D https://aws.amazon.com/s3/features/block-public-access/
upvoted 3 times
Gmail78
3 years, 8 months ago
what is IgnorePublicAcis? I would go with A instead
upvoted 1 times
avland
3 years, 8 months ago
Pretty sure there's a typo there. Should be IgnorePublicAcls. Block public access to buckets and objects granted through any access control lists (ACLs) S3 will ignore all ACLs that grant public access to buckets and objects.
upvoted 3 times
...
...
Kelvin1477
3 years, 8 months ago
Support D too as mention pre-signed url that is shared to the user will not be block but the policy will block any other public access: https://acloud.guru/forums/s3-masterclass/discussion/-LsBZBXjnnNdi4dT1Czi/block%20public%20access%20vs%20pre-signed%20URL%20access
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel