New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 5 Question 20 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 20
Topic #: 5
[All SCS-C02 Questions]

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


by Cristen at May 31, 2024, 06:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Diane
3 months ago
Surprised there's no explicit access in the bucket policy!
upvoted 0 times
...
Shelia
3 months ago
I think the IAM policy might be the issue too.
upvoted 0 times
...
Minna
3 months ago
Wait, are the object ACLs even set up correctly?
upvoted 0 times
...
Katlyn
4 months ago
Totally agree, the bucket policy is key here.
upvoted 0 times
...
Tom
4 months ago
The S3 bucket policy doesn't allow access to the Security Engineer.
upvoted 0 times
...
Noemi
4 months ago
I recall something about permissions needing to be applied at the bucket level, but I'm not confident if that's the main issue here.
upvoted 0 times
...
Mariko
4 months ago
I practiced a similar question, and I think it could also be that the IAM policy for the Security Engineer doesn't include the necessary permissions to read the objects in the bucket.
upvoted 0 times
...
Ronald
4 months ago
I'm not entirely sure, but I feel like the object ACLs could be a problem too. They might not be set up to allow access from the centralized account.
upvoted 0 times
...
Cassandra
5 months ago
I remember studying S3 bucket policies, and I think the issue might be that the bucket policy doesn't explicitly allow access for the Security Engineer.
upvoted 0 times
...
Alex
5 months ago
Ah, I think I've got it! The S3 bucket policy doesn't explicitly allow the Security Engineer's IAM user to access the objects in the bucket. That's likely the issue here.
upvoted 0 times
...
Angella
5 months ago
I'm a bit confused on this one. The policies seem to be set up correctly, but the Security Engineer still can't access the log files. I'll need to think this through step-by-step.
upvoted 0 times
...
Shelba
5 months ago
Okay, let's see here. The IAM policy seems to grant the necessary permissions, but the S3 bucket policy might be the problem. I'll need to double-check that.
upvoted 0 times
...
Allene
5 months ago
Hmm, this looks like a tricky one. I'll need to carefully review the IAM policy and S3 bucket policy to identify the issue.
upvoted 0 times
...
Trina
5 months ago
This is a good one. I'll need to carefully analyze the policies and consider all the possible reasons why the Security Engineer can't access the log files. Gotta be thorough on this exam.
upvoted 0 times
...
Elouise
5 months ago
Okay, let's see. I'm pretty sure inline editing isn't supported for system fields, but I'm not 100% sure about the other options.
upvoted 0 times
...
Gianna
5 months ago
I keep mixing up Cisco UCS and Cisco Hyperflex... Does UCS have a dashboard like that? I'm confused now.
upvoted 0 times
...
Mignon
9 months ago
I'm guessing the engineer is wishing they had a magic 'fix-all-my-problems' button right about now.
upvoted 0 times
...
Naomi
9 months ago
Haha, maybe the engineer just needs to take a step back and remember the golden rule: 'Grant the least privilege necessary.'
upvoted 0 times
Mohammad
8 months ago
The Engineer should review and adjust the policies accordingly.
upvoted 0 times
...
Carey
8 months ago
The bucket policy doesn't allow access from the Engineer's IAM user.
upvoted 0 times
...
Tatum
9 months ago
The Engineer's IAM user policy is too restrictive.
upvoted 0 times
...
...
Geoffrey
9 months ago
But the engineer's IAM policy also doesn't grant the required permissions to read objects in the S3 bucket. Both the bucket policy and the IAM policy need to be fixed.
upvoted 0 times
...
Vicky
9 months ago
I agree, the bucket policy is the problem here. The engineer needs to update the policy to grant the necessary permissions.
upvoted 0 times
Glory
8 months ago
The engineer needs to ensure proper permissions.
upvoted 0 times
...
Peggie
8 months ago
The IAM user policy may also need adjustments.
upvoted 0 times
...
Jade
8 months ago
The engineer should update the policy.
upvoted 0 times
...
Aracelis
9 months ago
The bucket policy is too restrictive.
upvoted 0 times
...
...
Veronika
10 months ago
The issue seems to be with the S3 bucket policy. It doesn't explicitly allow the Security Engineer's IAM user to access the objects in the bucket.
upvoted 0 times
Sharika
8 months ago
D: It seems like the s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
upvoted 0 times
...
Amira
9 months ago
C: The object ACLs should also be updated to allow users within the centralized account to access the objects.
upvoted 0 times
...
Alex
9 months ago
B: That's right, the Security Engineer's IAM policy needs to grant permissions to read objects in the S3 bucket.
upvoted 0 times
...
Tuyet
9 months ago
A: The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
upvoted 0 times
...
...
Evan
10 months ago
Maybe the IAM policy of the Security Engineer also needs to be adjusted to grant permissions to read objects in the S3 bucket.
upvoted 0 times
...
Lashon
10 months ago
I agree with Viola. The bucket policy needs to be updated to grant access to the Security Engineer.
upvoted 0 times
...
Viola
11 months ago
I think the Security Engineer is unable to access the log files because the S3 bucket policy does not explicitly allow access.
upvoted 0 times
...

Save Cancel