Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 9 Question 38 Discussion

A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions The team created an Amazon EC2 instance profile role that uses an AWS managed Readonly Access policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.What should the administrator do to fix the 1AM access issue?
B) Add the EC2 1AM role as the authorized Principal to the S3 bucket policy.
A) Edit the ReadOnlyAccess policy to add kms:Decrypt actions.
C) Attach an inline policy with kms Decrypt permissions to the 1AM role
D) Attach an inline policy with S3: * permissions to the 1AM role.

Amazon SCS-C02 Exam - Topic 9 Question 38 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 38
Topic #: 9
[All SCS-C02 Questions]

A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions The team created an Amazon EC2 instance profile role that uses an AWS managed Readonly Access policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.

The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.

What should the administrator do to fix the 1AM access issue?

Show Suggested Answer Hide Answer
Suggested Answer: B

Utilizing CloudFront signed cookies is the simplest and most effective way to protect HLS video content for paying subscribers. Signed cookies provide access control for multiple files, such as video chunks in HLS streaming, without the need to generate a signed URL for each video chunk. This method simplifies the process for long video events with thousands of chunks, enhancing user experience while ensuring content protection.


by Johnna at Dec 06, 2024, 01:10 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Sommer
6 months ago
Just adding S3:* seems too broad, not a fan of option D.
upvoted 0 times
...
Meaghan
6 months ago
I disagree, I’d go with option C for more control.
upvoted 0 times
...
Refugia
7 months ago
Isn't it weird that the bucket policy allows access but still gets denied?
upvoted 0 times
...
Millie
7 months ago
I think option B is the way to go!
upvoted 0 times
...
Desire
7 months ago
Sounds like a KMS issue, definitely need kms:Decrypt.
upvoted 0 times
...
Glenn
7 months ago
I’m a bit confused about whether we need to give broader S3 permissions or just focus on KMS. Option D seems too broad, but I guess it could work?
upvoted 0 times
...
Noemi
7 months ago
I practiced a similar question where we had to add permissions for KMS decryption. I feel like option C could be the way to go here.
upvoted 0 times
...
Brinda
8 months ago
I'm not entirely sure, but I think adding the EC2 IAM role to the S3 bucket policy could help. That sounds like option B, right?
upvoted 0 times
...
Vallie
8 months ago
I remember reading that KMS permissions are crucial for accessing encrypted S3 objects, so option A might be the right choice.
upvoted 0 times
...
Veronica
8 months ago
This seems straightforward enough. I'd go with option A and add the kms:Decrypt action to the ReadOnlyAccess policy. That should resolve the access issue without needing to make any changes to the S3 bucket policy.
upvoted 0 times
...
Mireya
8 months ago
Based on the information provided, I think the best approach would be to edit the ReadOnlyAccess policy to add the kms:Decrypt action. That should give the IAM role the necessary permissions to access the encrypted S3 bucket.
upvoted 0 times
...
Virgilio
8 months ago
I'm a bit confused here. The bucket policy allows everyone in the account to access the bucket, so I'm not sure why the IAM role is still getting an AccessDenied error. Maybe I'm missing something.
upvoted 0 times
...
Darci
8 months ago
Okay, let's see. The issue seems to be with the IAM role not having the right permissions to decrypt the encrypted S3 bucket. I think option C might be the way to go.
upvoted 0 times
...
Cherelle
8 months ago
Hmm, this seems like a tricky one. I'll need to think through the IAM permissions and S3 bucket policies carefully.
upvoted 0 times
...
Fairy
1 year ago
I bet the administrator is wishing they had a magic 8-ball to tell them the right answer. Luckily, Option C is the clear choice here.
upvoted 0 times
Teddy
12 months ago
Verify that the application is using the correct credentials to access the S3 bucket.
upvoted 0 times
...
Valene
12 months ago
Update the EC2 instance profile role to include the necessary permissions for accessing encrypted S3 buckets.
upvoted 0 times
...
Cherri
12 months ago
Make sure the application has the correct permissions to access the S3 bucket.
upvoted 0 times
...
Berry
12 months ago
Check if the EC2 instance profile role has the necessary permissions.
upvoted 0 times
...
...
Donette
1 year ago
This is a classic case of 'the answer is always in the question'. The IAM role needs the KMS decrypt permission, so Option C is the correct answer. Easy peasy!
upvoted 0 times
...
Georgiann
1 year ago
Haha, looks like the administrator forgot to give the IAM role the right permissions. Option C is the way to fix this, no need to go messing with the S3 bucket policy.
upvoted 0 times
Markus
12 months ago
That makes sense, no need to mess with the S3 bucket policy then.
upvoted 0 times
...
Bulah
12 months ago
Yeah, attaching an inline policy with kms Decrypt permissions to the 1AM role should do the trick.
upvoted 0 times
...
Georgene
1 year ago
Option C is the best solution here.
upvoted 0 times
...
...
Elke
1 year ago
I'm pretty sure the S3 bucket policy is not the problem here. The IAM role needs the correct permissions to access the encrypted S3 object, which means we need to add the KMS decrypt action.
upvoted 0 times
Wilda
1 year ago
D: No, we need to focus on adding the decryption permissions to the IAM role.
upvoted 0 times
...
Dominga
1 year ago
C: Add the EC2 IAM role as the authorized Principal to the S3 bucket policy.
upvoted 0 times
...
Kiley
1 year ago
B: That makes sense, we need to allow decryption of the encrypted S3 object.
upvoted 0 times
...
Tien
1 year ago
A: Edit the ReadOnlyAccess policy to add kms:Decrypt actions.
upvoted 0 times
...
...
Dolores
1 year ago
Option C looks like the way to go. The issue is with the IAM role's permissions, so we need to add the necessary KMS permissions to that role.
upvoted 0 times
...
Olene
1 year ago
I'm not sure. Maybe attaching an inline policy with kms Decrypt permissions to the 1AM role could also work.
upvoted 0 times
...
Genevive
1 year ago
I agree with Remedios. Adding kms:Decrypt actions to the policy should fix the access issue.
upvoted 0 times
...
Remedios
1 year ago
I think the administrator should edit the ReadOnlyAccess policy to add kms:Decrypt actions.
upvoted 0 times
...

Save Cancel