ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 312 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 312
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company's security engineer is configuring Amazon S3 permissions to ban all current and future public buckets. However, the company hosts several websites directly off S3 buckets with public access enabled.
The engineer needs to block the public S3 buckets without causing any outages on the existing websites. The engineer has set up an Amazon CloudFront distribution for each website.
Which set of steps should the security engineer implement next?

  • A. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Switch the DNS records for websites to point to the CloudFront distribution. Enable block public access settings at the account level.
  • B. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Switch the DNS records for the websites to point to the CloudFront distribution. Then, for each S3 bucket, enable block public access settings.
  • C. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Enable block public access settings at the account level.
  • D. Configure an S3 bucket as the origin for the CloudFront distribution. Configure the S3 bucket policy to accept connections from the CloudFront points of presence only. Switch the DNS records for the websites to point to the CloudFront distribution. Enable block public access settings at the account level.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by network_zeal at Jan. 4, 2022, 10:50 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TigerInTheCloud
Highly Voted 3 years, 2 months ago
Selected Answer: A
Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. A - Good B - cannot prevent future public buckets from being created. C - DNS records of the 'webpages directly on Amazon S3 buckets' need to point to CF now. D - OAI, not CloudFront points of presence, is used for identifying the coming traffic from CF
upvoted 12 times
...
argol
Highly Voted 3 years, 6 months ago
To restrict access to content that you serve from Amazon S3 buckets, follow these steps: Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there. "D" is the answer
upvoted 11 times
francisco_guerra
3 years ago
D does not mention OAI so Answer is A and yes we need to update DNS https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/
upvoted 7 times
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
Keyword: "ban all current and FUTURE public buckets." Therefore the choice is to block public access on the account level, to block public bucket creation in the future, rather than blocking blocking public access to existing buckets only. Search and identify keywords that edges one option over the other. In this question, it edges A over B (D is not even an option).
upvoted 1 times
...
TPBABA
1 year, 8 months ago
A IS THE ANSWER
upvoted 1 times
...
Toptip
2 years, 1 month ago
Selected Answer: A
A no doubts... You need: OAI + CF + Enable block public access settings at the account level.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
We need to block S3 public access at the account level. When this security control is configured it applies account-wide for all current and future buckets.
upvoted 1 times
...
nairj
2 years, 2 months ago
Answer is A: D : What is the need to configure the S3 bucket policy to accept connections from the CloudFront points of presence only? It has to be configured using OAI or OAC so I think the answer is A
upvoted 1 times
...
milofficial
2 years, 4 months ago
Selected Answer: A
C is bogus B is wrong because future S3 buckets can still be public D is wrong as it is missing OAI A is right
upvoted 2 times
...
Smartphone
2 years, 5 months ago
Correct Answer is D. A is missing the bucket policy.
upvoted 1 times
...
luisfsm_111
2 years, 5 months ago
Selected Answer: A
It's A
upvoted 1 times
...
Teknoklutz
2 years, 6 months ago
Selected Answer: A
A should be answer - OAI
upvoted 1 times
...
awsec2
2 years, 6 months ago
A. To block the public S3 buckets, the security engineer should enable block public access settings at the account level. This will block all current and future public buckets in the account. To prevent outages on the existing websites, the security engineer should configure an S3 bucket as the origin for the CloudFront distribution and switch the DNS records for the websites to point to the CloudFront distribution. This will allow the websites to continue to be served from the S3 buckets through the CloudFront distribution.
upvoted 1 times
...
cloud_collector
2 years, 9 months ago
Selected Answer: D
1#.You can use the S3 console, AWS CLI, AWS SDKs, and REST API to configure block public access settings for your all the buckets in your account. https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html 2#. When you use CloudFront with an Amazon S3 bucket as the origin, you can configure CloudFront and Amazon S3 .....To do this, configure CloudFront to send authenticated requests to Amazon S3, and configure Amazon S3 to only allow access to authenticated requests from CloudFront. CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: origin access control (OAC) and origin access identity (OAI). https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai
upvoted 2 times
cloud_collector
2 years, 9 months ago
3#.CloudFront origin access identity (OAI) provides similar functionality as origin access control (OAC), but it doesn't work for all scenarios. This is why we recommend using OAC instead. Specifically, OAI doesn't support: → New AWS Regions launched after December 2022 ← https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai In the question, "...configuring Amazon S3 permissions to ban all current and future public buckets."
upvoted 1 times
cloud_collector
2 years, 9 months ago
4#. Before you create an origin access control (OAC) or set it up in a CloudFront distribution, make sure the OAC has permission to access the S3 bucket origin. Do this after creating a CloudFront distribution, but before adding the OAC to the S3 origin in the distribution configuration. To give the OAC permission to access the S3 bucket, use an S3 bucket policy to allow the CloudFront service principal (cloudfront.amazonaws.com) to access the bucket. Use a Condition element in the policy to allow CloudFront to access the bucket only when the request is on behalf of the CloudFront distribution that contains the S3 origin. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai
upvoted 1 times
...
...
...
Root_Access
2 years, 10 months ago
Selected Answer: D
I'd say its D, regardless of using OAI or OAC, you need to modify your bucket policy to allow cloudfront distribution access S3 files. Also OAC is the new way of limiting access and Amazon recommends using it over OAI: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac
upvoted 3 times
...
sapien45
2 years, 10 months ago
Selected Answer: A
https://aws.amazon.com/s3/features/block-public-access/#:~:text=Amazon%20S3%20is%20the%20only,on%20block%20all%20public%20access. Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access.
upvoted 2 times
...
dcasabona
2 years, 11 months ago
Selected Answer: A
Option A for sure.
upvoted 2 times
dcasabona
2 years, 11 months ago
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html
upvoted 1 times
...
...
ude
2 years, 11 months ago
Selected Answer: B
B for me
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel