Amazon Exam SCS-C01 Topic 2 Question 57 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 57
Topic #: 2

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet.

The security team is unable to get objects from the S3 bucket

Which factors could cause this issue? (Select THREE.)

AThe IAM instance profile that is attached to the EC2 instance does not allow the s3 ListBucket action to the S3: bucket in the AWS accounts.

BThe I AM instance profile that is attached to the EC2 instance does not allow the s3 ListParts action to the S3; bucket in the AWS accounts.

CThe KMS key policy that encrypts the object in the S3 bucket does not allow the kms; ListKeys action to the EC2 instance profile ARN.

DThe KMS key policy that encrypts the object in the S3 bucket does not allow the kms Decrypt action to the EC2 instance profile ARN.

EThe security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443.

FThe security group that is attached to the EC2 instance is missing an inbound rule from the S3 managed prefix list over port 443.

Show Suggested Answer

Suggested Answer: A, D, E

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

To get objects from an S3 bucket that are encrypted with a KMS customer managed key, the security team needs to have the following factors in place:

The IAM instance profile that is attached to the EC2 instance must allow the s3:GetObject action to the S3 bucket or object in the AWS account. This permission is required to read the object from S3. Option A is incorrect because it specifies the s3:ListBucket action, which is only required to list the objects in the bucket, not to get them.

The KMS key policy that encrypts the object in the S3 bucket must allow the kms:Decrypt action to the EC2 instance profile ARN. This permission is required to decrypt the object using the KMS key. Option D is correct.

The security group that is attached to the EC2 instance must have an outbound rule to the S3 managed prefix list over port 443. This rule is required to allow HTTPS traffic from the EC2 instance to S3 within the AWS infrastructure. Option E is correct. Option B is incorrect because it specifies the s3:ListParts action, which is only required for multipart uploads, not for getting objects. Option C is incorrect because it specifies the kms:ListKeys action, which is not required for getting objects. Option F is incorrect because it specifies an inbound rule from the S3 managed prefix list, which is not required for getting objects. Verified Reference:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html

by Hubert at Apr 10, 2024, 06:32 PM

Limited Time Offer

25%

8 days ago

Oh, this question seems tricky. I'm not sure if I would be able to get the right answer on the first try.

upvoted 0 times

...