Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 274 discussion

Script is never AWS answers

Option D impacts the application's normal workflow. It will block access to the objects from the internet irrespective of whether the user is authorised or not.

Not C due to the following: C. Script for Private ACL (Potentially Disruptive): Setting a private ACL on all objects might disrupt existing download mechanisms that rely on signed URLs.

Answer: D https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html

Public Block access

D. IgnorePulicAcls : Setting this option to TRUE causes Amazon S3 to ignore all public ACLs on a bucket and any objects that it contains. This setting enables you to safely block public access granted by ACLs while still allowing PUT Object calls that include a public ACL (as opposed to BlockPublicAcls, which rejects PUT Object calls that include a public ACL). Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

Correct D. Uses the Block Public Access feature in Amazon S3 to set the IgnorePublicAcls option to TRUE on the bucket. This would immediately block public access to the files in the S3 bucket without affecting the application's normal workflow. The application can still generate signed URLs to allow users to download their reports. The IgnorePublicAcls setting ignores any public ACLs on objects in this bucket and any objects that are added to this bucket in the future.

its a D

D - yank the cable from the switch. Check this -> https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

D is the most appropriate solution as it directly addresses the security issue by using the Block Public Access feature in Amazon S3. By setting the IgnorePublicAcIs option to TRUE, it ensures that public access to the bucket and its objects is blocked, preventing unauthorized downloads. This solution is immediate, doesn't require modifying the application code or workflow, and provides an effective security control.

d-d-d-d-d-d

IF the purpose is block pre-signed URL access to bucket, none of the options will work. If we are just blocking non pre-signed URL access, then both C and D will work. Correct me if I am wrong here.

C indeed

Amazon S3 Block Public Access provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don't allow public access, but users or applications can modify bucket policies or object permissions to allow public access. S3 Block Public Access settings override these public access settings. You can use S3 Block Public Access to block existing public access, whether specified by an ACL or a policy, and to ensure that public access isn't granted to newly created items. Using signed URLs to grant temporary access to the S3 objects is a secure way to share files. It allows the company to continue using their current workflow without affecting its users while also maintaining the privacy and security of the files in the bucket.

D - Block Public Access feature in Amazon S3 to set the IgnorePublicAcIs

Correct Answer is C