exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 63 discussion

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket.
A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?

  • A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.
  • B. Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
  • C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
  • D. Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Sodev
8 months ago
C, However, This is not a good question. what happen if "Critical operation" need to continue access to data on S3 ? If i am a writer for this question. I will add more Answer "Deny outbount from EC2 and routing to S3 via s3 gateway endpoint only"
upvoted 1 times
...
xflare
8 months, 2 weeks ago
Selected Answer: C
D takes longer than it looks. If you disable the KMS key, the data key is still usable until you try to encrypt it again. If the data key has been unencrypted within the instance, it will remain usable even after you disable the KMS and the rogue instance can keep reading info from S3. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#unusable-kms-keys.
upvoted 2 times
...
Raphaello
9 months, 2 weeks ago
Selected Answer: C
D is a valid solution, but not the fastest as requested. Creating a batch operation to re-encrypt 2TB to data on S3 might take time. Plus, old or new KMS key are both equally same for an attacker who has access to the EC2/role that's allowed to use the key. The solution needs to be with the role itself to eliminate further access to sensitive data. Revoke current active session permissions, set S3 bucket policy to deny the role, and remove the role altogether from EC2 instance profile. C.
upvoted 1 times
...
Oralinux
12 months ago
C. Revoke the IAM role's active session permissions.
upvoted 3 times
...
Daniel76
12 months ago
Selected Answer: C
This contains more detail response. Refer to part 2 for containment step. The first step is always to deal with the role access first. https://www.bicarait.com/2021/04/27/aws-incident-response-unintended-access-to-s3-bucket/ It only takes a few minutes for policy updates to effectively revoke the role’s temporary security credentials to force all users assuming the role to reauthenticate and request new credentials. (as compare to re-encrypt entire s3 bucket data to a single new key) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html#deny-access-to-all-sessions Furthermore, though unrelated to the requirement: The s3 bucket may be encrypted by multiple data keys which is intended. by re-encrypting the entire bucket, you may affect data that are encrypted by other legitimate keys unaffected by this vulnerable ec2.
upvoted 2 times
...
Aamee
1 year ago
Still v confusing btw C and D.... but I'd probably go with C.
upvoted 1 times
...
kejam
1 year ago
Selected Answer: D
Answer D. The fastest way to prevent sensitive data from being exposed is to disable the current key. A. Not fast B. Not fast C. AWSRevokeOlderSessions is fast, however bad actors can immediately reconnect with new sessions before you remove the IAM role from the EC2 instance profile. If these steps were reversed to prevent that its no longer the fastest solution because its 2 steps. D. Disable the current key... 1st step prevents sensitive data exposure and the rest of the steps to re-encrypt the data with a new key can follow.
upvoted 2 times
confusedyeti69
1 year ago
If your bucket has millions of objects, re-encryption is slower. Ans is C
upvoted 1 times
Aamee
1 year ago
No, that's not the point here. The req. is to implement it 'FASTER' to get it secured on the first attempt which I also feel Option D provides it. Disabling the key right away can atleast help ensure that no sensitive data would get exposed further IMO... and then the rest of the steps to re-encrypting the data can be done as a 2nd step to follow...
upvoted 1 times
...
...
...
100fold
1 year, 1 month ago
Selected Answer: C
Answer C https://www.examtopics.com/discussions/amazon/view/60659-exam-aws-certified-security-specialty-topic-1-question-287/
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...