ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 418 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 418
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has application logs from AWS accounts in an organization in AWS Organizations. A security engineer is copying these logs to a centralized Amazon S3 bucket in the security team’s AWS account.

Each of the company’s applications is in its own AWS account. Logs are encrypted and pushed into S3 buckets that are associated with each account.

The security engineer deploys an AWS Lambda function into each account to copy the relevant log files to the centralized S3 bucket. The Lambda function can copy the log files in the centralized S3 bucket.

The Lambda function’s IAM execution role policy from the security team’s AWS account is the following:



The centralized S3 bucket policy is the following:



The security engineer needs to remove excess permissions while ensuring the functionality of the solution.

Which changes to the policies meet these requirements? (Choose two.)

  • A. Update the centralized S3 bucket policy to the following:


  • B. Update the centralized S3 bucket policy to the following:


  • C. Update the Lambda IAM execution role policy to the following:


  • D. Update the Lambda IAM execution role policy to the following:


  • E. Update the Lambda IAM execution role policy to the following:

Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by tryks at Nov. 24, 2022, 1:01 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Toptip
2 years ago
Selected Answer: BD
B+D i agree
upvoted 1 times
...
PatrickLi
2 years, 4 months ago
Selected Answer: BD
Vote on BD.
upvoted 3 times
...
appashu
2 years, 5 months ago
since bucketpolicy already allows put permissions, lamba willnot need that permission again.
upvoted 1 times
...
ryogoku
2 years, 5 months ago
Selected Answer: BD
BD as others explained already.
upvoted 3 times
...
Un1c0rn
2 years, 6 months ago
Selected Answer: BD
Why NOT E? Lambda also needs s3:Get as well?
upvoted 1 times
ryogoku
2 years, 5 months ago
Because Lambda does not require Get operation to store logs in S3 bucket.
upvoted 1 times
secdaddy
2 years, 5 months ago
clarification - Lambda doesn't need Get from centralizedbucket, only from the individual buckets in the source accounts.
upvoted 3 times
...
...
...
Balki
2 years, 6 months ago
Selected Answer: BD
Agree with others
upvoted 3 times
...
Isaias
2 years, 6 months ago
Selected Answer: BD
Guys A cannot be, why? because you will get the next error "Action does not apply to any resource(s) in statement" in actions like getObect PutObject You need specify action inside tu bucket with "*" in the arn resource, https://bobbyhadz.com/blog/aws-s3-action-does-not-apply-to-resources So I will go with B and D
upvoted 3 times
...
Isaias
2 years, 6 months ago
Guys A cannot be, why? because you will get the next error "Action does not apply to any resource(s) in statement" in actions like getObect PutObject You need specify action inside tu bucket with "*" in the arn resource, https://bobbyhadz.com/blog/aws-s3-action-does-not-apply-to-resources So I will go with B and D
upvoted 3 times
...
tainh
2 years, 6 months ago
Selected Answer: AD
With Centrallized S3 bucket policy jusst need Put* permission https://lepczynski.it/en/aws_en/how-to-automatically-copy-data-from-aws-s3-lambda-events/
upvoted 3 times
Green53
1 year, 11 months ago
Can't be A, it's missing the "*" on the resource (outlined in your link also)
upvoted 1 times
...
...
tryks
2 years, 6 months ago
Will go for A & C
upvoted 1 times
landsamboni
2 years, 6 months ago
C? would be D because the lambda needs Put? I think AC
upvoted 3 times
landsamboni
2 years, 6 months ago
correct: AD
upvoted 2 times
...
...
selim507
2 years, 4 months ago
A can not be, because there is a missing '*' in the policy
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel