Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 83 discussion

In AWS docs: "Select an IAM role that you want to associate with the instance profile for component permissions on your build and test instances. Image Builder uses these permissions to download and run your components, upload logs to CloudWatch, and perform any additional actions that the components in your recipe specify."

https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied ause Possible causes include: The instance profile does not have the required permissions to access APIs or component resources. The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets. Solution Depending on the cause, this issue can be resolved as follows: Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again.

BE Cause Possible causes include: The instance profile does not have the required permissions to access APIs or component resources. The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets. Solution Depending on the cause, this issue can be resolved as follows: Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again.

A. The IAM role used by Amazon EC2 Image Builder needs to have the necessary policies attached to perform the required actions. In this case, the role needs policies such as EC2InstanceProfileForImageBuilder,EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. D: The IAM role must have the s3:PutObject permission for the specified S3 bucket. This permission is required for storing logs in the S3 bucket. Options B and E involve attaching policies directly to the instance profile, which is not the recommended approach for Amazon EC2 Image Builder. The IAM role associated with EC2 Image Builder is used for the build process, and it is the role that needs the required permissions. Option C is not specific to the IAM role or instance profile used by Amazon EC2 Image Builder, and it's generally not recommended to attach broad policies like AWSImageBuilderFullAccess without following the principle of least privilege.

The correct answer is B/E.

BE choice as Instance Profile >> Role for the Instance on start up - usually -

EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore are policies. https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam-awsmanpol.html Ensure the IAM roles used by Image Builder have the necessary permissions to access resources involved in the build process, like S3 buckets, EC2 instances, and SSM automation documents.

Thanks folks!... got the EC2 Instance profile concept now so def. going with B and E now.

A pipeline is running so that means the engineer's role is not relevant. Answer is BE

Please note that an instance profile is an IAM role for the EC2 instance. Therefore, the option A which states that "IAM role attached to the engineer" is wrong. Please check this link for more information - https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied

"Solution: Depending on the cause, this issue can be resolved as follows: Instance profile is missing managed policies – Add the missing policies to your instance profile role. Then run the pipeline again. Instance profile is missing write permissions for S3 bucket – Add a policy to your instance profile role that grants PutObject permissions to write to your S3 bucket. Then run the pipeline again." The sol. states that it's EC2 Instance Profile "Role" as per their documentation. Whereas, in option B and E, it states EC2 Instance profile only. Does it mean the same thing? Can someone pls. help clarify on this.

B and E as per the following https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied

correct