ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 346 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 346
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket. The log files are encrypted using AWS KMS. A security engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance. The security engineer is unable to access the logs in the S3 bucket and receives an access denied error message.

What should the security engineer do to fix this issue?

  • A. Check that the role the security engineer uses grants permission to decrypt objects using the KMS CMK.
  • B. Check that the role the security engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
  • C. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
  • D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by AdamWest at Nov. 20, 2022, 8:05 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Isaias
Highly Voted 2 years, 5 months ago
Selected Answer: C
C to grant permisssion to an application(tool) running in the instance you need to create a instance profile the contains the role for those permissions https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
upvoted 9 times
...
D2
Highly Voted 2 years, 5 months ago
Selected Answer: C
Answer C When security engineer is accessing objects in s3 from third party tool on s3, he/she is using instance profile
upvoted 5 times
...
Toptip
Most Recent 1 year, 11 months ago
Selected Answer: C
C - EC2 instance profile uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
upvoted 1 times
...
Tofu13
1 year, 11 months ago
I guess C is fine, though strictly speaking it is not mandatory that the role gives access to the S3 bucket since a bucket policy would work as well. In that case D is as good or bad as C. Changing "give" access with "has" access and everything is fine. Multiple choice is really prone to these kind of problems...
upvoted 1 times
...
Leonardocp33
2 years, 4 months ago
Selected Answer: C
For me is C, It makes sense.
upvoted 2 times
...
Teknoklutz
2 years, 5 months ago
Selected Answer: C
Answer C
upvoted 1 times
...
tainh
2 years, 5 months ago
Selected Answer: C
C attach instance profile with role ( Decrypt KMS and access S3 )
upvoted 2 times
...
AdamWest
2 years, 5 months ago
Selected Answer: B
B - https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-default-encryption/ https://blog.skeddly.com/2016/06/giving-aws-credentials-to-third-party-services.html
upvoted 2 times
Balki
2 years, 5 months ago
It should be C. As long as the User can access EC2, it is fine
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago