exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 145 discussion

A developer operations team uses AWS Identity and Access Management (IAM) to manage user permissions. The team created an Amazon EC2 instance profile role that uses an AWS managed ReadOnlyAccess policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.

The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.

What should the administrator do to fix the IAM access issue?

  • A. Edit the ReadOnlyAccess policy to add kms:Decrypt actions
  • B. Add the EC2 IAM role as the authorized Principal to the S3 bucket policy
  • C. Attach an inline policy with kms:Decrypt permissions to the IAM role
  • D. Attach an inline policy with S3:* permissions to the IAM role
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
IPLogic
3 days, 22 hours ago
Selected Answer: C
To resolve the IAM access issue, the administrator should ensure that the IAM role has the necessary permissions to decrypt the encrypted files in the S3 bucket. Since the files are encrypted, the role needs kms:Decrypt permissions to access them. Therefore, the correct answer is C. Attaching an inline policy with kms:Decrypt permissions to the IAM role will allow the application running on the EC2 instance to read the encrypted files from the S3 bucket. Option A is not ideal because editing the AWS managed ReadOnlyAccess policy is not possible. Option B is unnecessary because the S3 bucket policy already allows access. Option D is too broad and grants more permissions than needed, which is not a best practice for security.
upvoted 1 times
...
aescudero51
6 months, 1 week ago
Selected Answer: C
C is correct.
upvoted 2 times
...
fibonacciname
6 months, 2 weeks ago
Selected Answer: C
C is correct, ReadOnlyAccess is a administer policy by AWS, can't edit.
upvoted 2 times
...
fibonacciname
6 months, 2 weeks ago
Selected Answer: B
B es correct, ReadOnlyAccess is a administer policy by AWS, can't edit.
upvoted 1 times
fibonacciname
6 months, 2 weeks ago
is wrong, the answer is C
upvoted 1 times
...
...
Certified101
6 months, 3 weeks ago
Selected Answer: C
C is correct, cant edit an AWS managed policy. Need to create a new inline policy
upvoted 1 times
...
Nash101
6 months, 3 weeks ago
C A. Edit ReadOnlyAccess Policy: Modifying the ReadOnlyAccess policy to include kms:Decrypt actions would grant these permissions to any role or user attached to that policy. This might be more permissive than necessary and could introduce security risks if the policy is used elsewhere. B. Add Role to S3 Bucket Policy: While adding the EC2 instance profile role to the S3 bucket policy would allow access, it bypasses IAM role-based access control and couples the policy directly to the instance role. This approach is less flexible and doesn't leverage the benefits of IAM roles for managing access. D. Attach Policy with S3: Permissions:* Granting S3:* permissions through an inline policy would provide excessive access to the application. It's essential to follow the principle of least privilege and only grant the necessary kms:Decrypt permissions for the specific KMS key used for encryption.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago