Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 63 discussion

The goal is to quickly prevent the compromised EC2 instance from accessing the sensitive data in S3. The fastest way to do this is: Revoke the IAM role's active session permissions This immediately removes temporary credentials from the EC2 instance. Use AWS STS to revoke active session tokens: Update the S3 bucket policy to deny access to the IAM role Even if the instance has temporary credentials, a bucket policy denial rule will override all permissions. Remove the IAM role from the EC2 instance profile This prevents the EC2 instance from obtaining new credentials.

While Option C attempts to mitigate access by removing permissions, it does not directly address the potential misuse of the KMS key during an active session. Option D ensures an immediate and definitive block to sensitive data access, making it the more secure and fastest response to prevent exposure. If the volume of objects is significant, re-encryption can be deferred without compromising data security because disabling the original key renders the data inaccessible.

C, However, This is not a good question. what happen if "Critical operation" need to continue access to data on S3 ? If i am a writer for this question. I will add more Answer "Deny outbount from EC2 and routing to S3 via s3 gateway endpoint only"

D takes longer than it looks. If you disable the KMS key, the data key is still usable until you try to encrypt it again. If the data key has been unencrypted within the instance, it will remain usable even after you disable the KMS and the rogue instance can keep reading info from S3. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#unusable-kms-keys.

D is a valid solution, but not the fastest as requested. Creating a batch operation to re-encrypt 2TB to data on S3 might take time. Plus, old or new KMS key are both equally same for an attacker who has access to the EC2/role that's allowed to use the key. The solution needs to be with the role itself to eliminate further access to sensitive data. Revoke current active session permissions, set S3 bucket policy to deny the role, and remove the role altogether from EC2 instance profile. C.

C. Revoke the IAM role's active session permissions.

This contains more detail response. Refer to part 2 for containment step. The first step is always to deal with the role access first. https://www.bicarait.com/2021/04/27/aws-incident-response-unintended-access-to-s3-bucket/ It only takes a few minutes for policy updates to effectively revoke the role’s temporary security credentials to force all users assuming the role to reauthenticate and request new credentials. (as compare to re-encrypt entire s3 bucket data to a single new key) https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html#deny-access-to-all-sessions Furthermore, though unrelated to the requirement: The s3 bucket may be encrypted by multiple data keys which is intended. by re-encrypting the entire bucket, you may affect data that are encrypted by other legitimate keys unaffected by this vulnerable ec2.

Still v confusing btw C and D.... but I'd probably go with C.

Answer D. The fastest way to prevent sensitive data from being exposed is to disable the current key. A. Not fast B. Not fast C. AWSRevokeOlderSessions is fast, however bad actors can immediately reconnect with new sessions before you remove the IAM role from the EC2 instance profile. If these steps were reversed to prevent that its no longer the fastest solution because its 2 steps. D. Disable the current key... 1st step prevents sensitive data exposure and the rest of the steps to re-encrypt the data with a new key can follow.

Answer C https://www.examtopics.com/discussions/amazon/view/60659-exam-aws-certified-security-specialty-topic-1-question-287/