exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 83 discussion

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: "AccessDenied: Access Denied status code: 403".

The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Ensure that the following policies are attached to the IAM role that the security engineer is using·EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.
  • B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.
  • C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.
  • D. Ensure that the security engineer's IAM role has the s3:PutObject permission for the S3 bucket.
  • E. Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Sodev
8 months ago
In AWS docs: "Select an IAM role that you want to associate with the instance profile for component permissions on your build and test instances. Image Builder uses these permissions to download and run your components, upload logs to CloudWatch, and perform any additional actions that the components in your recipe specify."
upvoted 1 times
...
ratsoft
8 months, 3 weeks ago
Selected Answer: BE
https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied ause Possible causes include: The instance profile does not have the required permissions to access APIs or component resources. The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets. Solution Depending on the cause, this issue can be resolved as follows: Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again.
upvoted 1 times
...
Mandla97
9 months, 2 weeks ago
BE Cause Possible causes include: The instance profile does not have the required permissions to access APIs or component resources. The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets. Solution Depending on the cause, this issue can be resolved as follows: Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again.
upvoted 1 times
...
vikasj1in
10 months, 3 weeks ago
A. The IAM role used by Amazon EC2 Image Builder needs to have the necessary policies attached to perform the required actions. In this case, the role needs policies such as EC2InstanceProfileForImageBuilder,EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. D: The IAM role must have the s3:PutObject permission for the specified S3 bucket. This permission is required for storing logs in the S3 bucket. Options B and E involve attaching policies directly to the instance profile, which is not the recommended approach for Amazon EC2 Image Builder. The IAM role associated with EC2 Image Builder is used for the build process, and it is the role that needs the required permissions. Option C is not specific to the IAM role or instance profile used by Amazon EC2 Image Builder, and it's generally not recommended to attach broad policies like AWSImageBuilderFullAccess without following the principle of least privilege.
upvoted 1 times
...
giancesarini2023
11 months, 2 weeks ago
The correct answer is B/E.
upvoted 1 times
...
3633f8f
11 months, 3 weeks ago
Selected Answer: BE
BE choice as Instance Profile >> Role for the Instance on start up - usually -
upvoted 2 times
...
WeepingMaplte
11 months, 3 weeks ago
Selected Answer: BE
EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore are policies. https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam-awsmanpol.html Ensure the IAM roles used by Image Builder have the necessary permissions to access resources involved in the build process, like S3 buckets, EC2 instances, and SSM automation documents.
upvoted 1 times
...
Aamee
1 year ago
Selected Answer: BE
Thanks folks!... got the EC2 Instance profile concept now so def. going with B and E now.
upvoted 1 times
...
snowmaggedon
1 year ago
A pipeline is running so that means the engineer's role is not relevant. Answer is BE
upvoted 1 times
...
AgboolaKun
1 year ago
Selected Answer: BE
Please note that an instance profile is an IAM role for the EC2 instance. Therefore, the option A which states that "IAM role attached to the engineer" is wrong. Please check this link for more information - https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied
upvoted 3 times
...
Aamee
1 year ago
"Solution: Depending on the cause, this issue can be resolved as follows: Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again." The sol. states that it's EC2 Instance Profile "Role" as per their documentation. Whereas, in option B and E, it states EC2 Instance profile only. Does it mean the same thing? Can someone pls. help clarify on this.
upvoted 1 times
ion_gee
8 months ago
AN EC2 Instance profile is an IAM role created to be used by an EC2 instance and attached to the Ec2 instance. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
upvoted 1 times
...
...
[Removed]
1 year ago
Selected Answer: BE
B and E as per the following https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied
upvoted 3 times
...
oioi
1 year ago
Selected Answer: DE
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago