ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 109 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 109
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An application makes calls to AWS services using the AWS SDK. The application runs on Amazon EC2 instances with an associated IAM role. When the application attempts to access an object within an Amazon S3 bucket; the Administrator receives the following error message: HTTP 403: Access Denied.
Which combination of steps should the Administrator take to troubleshoot this issue? (Choose three.)

  • A. Confirm that the EC2 instance's security group authorizes S3 access.
  • B. Verify that the KMS key policy allows decrypt access for the KMS key for this IAM principle.
  • C. Check the S3 bucket policy for statements that deny access to objects.
  • D. Confirm that the EC2 instance is using the correct key pair.
  • E. Confirm that the IAM role associated with the EC2 instance has the proper privileges.
  • F. Confirm that the instance and the S3 bucket are in the same Region.
Show Suggested Answer Hide Answer
Suggested Answer: BCE 🗳️
by [deleted] at March 21, 2021, 12:14 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
chengxu32
Highly Voted 3 years, 7 months ago
BCE is correct. Per following S3 403 error troubleshooting guide https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/
upvoted 21 times
...
dcasabona
Highly Voted 2 years, 9 months ago
Selected Answer: BCE
My first choice was A, C and E, but after reading @Larsson question and @halfway response I chance my mind to B, C and E.
upvoted 6 times
...
Deyemzy
Most Recent 11 months, 1 week ago
ACE B - This step is only necessary if the S3 bucket is using server-side encryption with a KMS key (SSE-KMS). If the objects are not encrypted using KMS, this step is irrelevant to the 403 error.
upvoted 1 times
...
Raphaello
1 year, 3 months ago
Selected Answer: BCE
BCE are the correct answers.
upvoted 1 times
...
Tofu13
1 year, 11 months ago
Selected Answer: BCE
A is wrong as a security group denying access to s3 would lead to some kind of timeout.
upvoted 2 times
...
refuz
3 years, 6 months ago
B,C and E
upvoted 3 times
...
Hungdv
3 years, 7 months ago
B, C and E
upvoted 4 times
DahMac
3 years, 6 months ago
Check Key, Bucket, Role (B,C,E) privs
upvoted 2 times
...
...
Larsson
3 years, 7 months ago
ACE it could be, because the question does not even mention encryption and the security group acting on the instance could very well block the access to an S3 bucket (especially if that access is via HTTP(S) then the security group would just not have egress port 80/443) Why not?
upvoted 2 times
halfway
3 years, 7 months ago
If the port is blocked, there will not be a 403 HTTP response.
upvoted 7 times
...
...
[Removed]
3 years, 7 months ago
Just to add I think the question is maybe missing info. But links for reference: https://aws.amazon.com/premiumsupport/knowledge-center/decrypt-kms-encrypted-objects-s3/ , https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/
upvoted 3 times
...
[Removed]
3 years, 7 months ago
BCE is correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago