ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 449 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 449
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.

The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.
  • B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.
  • C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.
  • D. Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.
  • E. Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by [deleted] at Nov. 30, 2022, 11:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
BK__
Highly Voted 2 years, 5 months ago
Selected Answer: BE
ANS is BE For those supporting "A", the instance profile is an IAM role for the EC2 instance. A says the IAM role attached to the engineer and this is wrong. B is instance profile which is the same as IAM role for the EC2 instance.
upvoted 9 times
BK__
2 years, 5 months ago
The engineer is not the one that needs the permissions but the EC2 instance
upvoted 4 times
...
...
secdaddy
Highly Voted 2 years, 4 months ago
The rights are clearly listed here, supporting BE https://docs.aws.amazon.com/imagebuilder/latest/userguide/image-builder-setting-up.html#image-builder-IAM-prereq
upvoted 8 times
AzureDP900
2 years, 2 months ago
Thx for sharing link
upvoted 2 times
...
...
Noexperience
Most Recent 1 year, 9 months ago
Selected Answer: AD To meet the requirements of resolving the "Access Denied" error with Amazon EC2 Image Builder while adhering to best practices for least privilege access, the following steps should be taken: A. Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. D. Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.
upvoted 1 times
...
jeff001
1 year, 11 months ago
Selected Answer: BE
https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied
upvoted 2 times
...
francinetanzx
1 year, 11 months ago
Selected Answer: BE
https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html
upvoted 1 times
...
OCHT
2 years ago
Selected Answer: AD
In the context of the scenario, the best combination would be A and D. Here's why: The IAM role that the security engineer is using to interact with Amazon EC2 Image Builder needs to have the right policies attached. The policies mentioned in Option A (EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore) provide the necessary permissions to create and manage EC2 instances for Image Builder, build and test the image, and use Systems Manager capabilities. Option D ensures that the security engineer's IAM role has the permissions needed to write logs to the S3 bucket. It's crucial for the role used to run the pipeline to have this permission, as the pipeline's logs are being sent to an S3 bucket.
upvoted 1 times
OCHT
2 years ago
The other combinations have a key issue - they suggest attaching the necessary permissions to the instance profile for the EC2 instance (Options B and E). However, the permissions needed to run the pipeline and write logs to the S3 bucket should be attached to the IAM role that the security engineer is using to interact with EC2 Image Builder, not the instance profile for the EC2 instance itself.
upvoted 1 times
...
...
bwestpha
2 years, 3 months ago
Selected Answer: BE
i checked BE
upvoted 4 times
...
PatrickLi
2 years, 3 months ago
Selected Answer: BE
Vote for BE. The permission of the user who runs the pipeline is irrelevant.
upvoted 1 times
...
Teknoklutz
2 years, 5 months ago
Selected Answer: BE
BE Correct Answer
upvoted 1 times
...
piter8111
2 years, 5 months ago
Selected Answer: BE
https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html - Access denied – status code 403
upvoted 6 times
...
tainh
2 years, 5 months ago
Selected Answer: BE
B,E are correct https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied
upvoted 4 times
...
Wilson_S
2 years, 5 months ago
Link supporting A and E: https://docs.aws.amazon.com/imagebuilder/latest/userguide/image-builder-setting-up.html
upvoted 1 times
Wilson_S
2 years, 5 months ago
Sorry! B and E.
upvoted 2 times
...
...
AdamWest
2 years, 5 months ago
Selected Answer: AE
AE is the answer - E = The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets. A = An instance profile is a container for an IAM role that you can use to pass role information to an Amazon EC2 instance when the instance starts. You can tag instance profiles when you use the AWS CLI or AWS API. You can use IAM tag key-value pairs to add custom attributes to an instance profile. The IAM role that you associate with your instance profile must have permissions to run the build and test components included in your image. The following IAM role policies must be attached to the IAM role that is associated with the instance profile: EC2InstanceProfileForImageBuilder EC2InstanceProfileForImageBuilderECRContainerBuilds AmazonSSMManagedInstanceCore https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html
upvoted 5 times
...
Saklani
2 years, 6 months ago
BE https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#troubleshooting-pipelines The instance profile is the one which should have the perm
upvoted 2 times
...
kerar
2 years, 6 months ago
Selected Answer: AE
Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again. https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#troubleshooting-pipelines
upvoted 5 times
...
kishore1212
2 years, 6 months ago
Selected Answer: BE
https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#troubleshooting-pipelines Instance profile should have permissions
upvoted 1 times
...
[Removed]
2 years, 6 months ago
Answer should be A,E
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel