Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon Exam SCS-C02 Topic 5 Question 20 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 20
Topic #: 5
[All SCS-C02 Questions]

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


by Cristen at May 31, 2024, 06:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Mignon
10 days ago
I'm guessing the engineer is wishing they had a magic 'fix-all-my-problems' button right about now.
upvoted 0 times
...
Naomi
11 days ago
Haha, maybe the engineer just needs to take a step back and remember the golden rule: 'Grant the least privilege necessary.'
upvoted 0 times
...
Geoffrey
13 days ago
But the engineer's IAM policy also doesn't grant the required permissions to read objects in the S3 bucket. Both the bucket policy and the IAM policy need to be fixed.
upvoted 0 times
...
Vicky
14 days ago
I agree, the bucket policy is the problem here. The engineer needs to update the policy to grant the necessary permissions.
upvoted 0 times
...
Veronika
1 months ago
The issue seems to be with the S3 bucket policy. It doesn't explicitly allow the Security Engineer's IAM user to access the objects in the bucket.
upvoted 0 times
Alex
9 days ago
B: That's right, the Security Engineer's IAM policy needs to grant permissions to read objects in the S3 bucket.
upvoted 0 times
...
Tuyet
14 days ago
A: The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
upvoted 0 times
...
...
Evan
2 months ago
Maybe the IAM policy of the Security Engineer also needs to be adjusted to grant permissions to read objects in the S3 bucket.
upvoted 0 times
...
Lashon
2 months ago
I agree with Viola. The bucket policy needs to be updated to grant access to the Security Engineer.
upvoted 0 times
...
Viola
2 months ago
I think the Security Engineer is unable to access the log files because the S3 bucket policy does not explicitly allow access.
upvoted 0 times
...

Save Cancel