ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 9 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 9
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.
Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an
S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.
Which of the following options will mitigate the threat? (Choose two.)

  • A. Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.
  • B. Block outbound access to public S3 endpoints on the proxy server.
  • C. Configure Network ACLs on Server X to deny access to S3 endpoints.
  • D. Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.
  • E. Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by Nebolos at March 15, 2021, 4:32 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nebolos
Highly Voted 3 years, 7 months ago
A & B for me
upvoted 22 times
...
Hungdv
Highly Voted 3 years, 6 months ago
A and B. You can not block vpc endpoint at security group, but can use cli to find vpc endpoint IP range and block that IPs in proxy configuration. C could work but you don't want block vpc endpoint at subnet because it affects all instance in that subnet. https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/
upvoted 9 times
Bosch123
2 years, 7 months ago
A and C. A - definite reason for secure s3 access Not B - because security group can't block any IP/Prefix(it only Allows). Also proxy server had internet access that means Proxy Server's SG must allow outbound to 0.0.0.0. Only C - can block VPC Endpoint IP Range in the proxy server subnet NACL. Although it will apply the same rule for any server in that subnet.
upvoted 5 times
Robert0
1 year, 10 months ago
But option B (Block outbound access to public S3 endpoints on the proxy server) explicitly says that is the proxy who blocks the request, not the Security Group.
upvoted 1 times
...
...
Gustava6272
3 years, 6 months ago
A and B , but your 2nd reasoning is wrong, SG can block VPCE . You cannot use an AWS prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use an AWS prefix list ID in an outbound security group rule . Ref Gateway endpoint limitation section at https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html
upvoted 4 times
...
...
0x00infosec
Most Recent 7 months ago
A & B A.Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1. This allows the application to access S3 without going through the internet, and you can enforce access controls to restrict which buckets can be accessed. B. Block outbound access to public S3 endpoints on the proxy server. By preventing access to public S3 endpoints, you reduce the risk of sensitive data being uploaded to an external S3 bucket controlled by an unauthorized account.
upvoted 1 times
...
Deyemzy
10 months, 3 weeks ago
A & B --------- C might seem viable, but Network ACLs (NACLs) are stateless and do not offer the fine-grained control needed to allow legitimate S3 access while blocking unauthorized S3 endpoints.
upvoted 1 times
jlggross
9 months, 2 weeks ago
For me C is wrong because of this part of the enunciate: "Legitimate access to S3 is required". That said, you should NOT have NACLs blocking access to S3 buckets, access to S3 buckets is required.
upvoted 1 times
...
...
Raphaello
1 year, 2 months ago
Selected Answer: AB
We want to deny the host from uploading our data to external account's S3 bucket. 1. block access to public S3 endpoints 2. bypass the proxy to reach out to our own S3 VPC endpoint Correct answers: AB
upvoted 1 times
...
Benah
1 year, 7 months ago
A & B for me
upvoted 1 times
...
Green53
1 year, 10 months ago
Selected Answer: AB
B - Block outbound access to S3, so it has to go through the endpoint A - Reduce the buckets that can be accessed via the endpoint C - This may impact multiple workloads D - You don't want public IPs whitelisted E - Just a bad idea
upvoted 2 times
...
Robert0
1 year, 10 months ago
Selected Answer: AB
I think AB are correct. C is not compatible with A. In option A we're enabling VPC endpoints to access directly to the S3 bucket and option C deny the traffic to the VPC S3 endpoints
upvoted 2 times
...
unravikumar
1 year, 11 months ago
Selected Answer: AB
AB seems correct to me
upvoted 1 times
...
matrpro
1 year, 12 months ago
Selected Answer: AB
In my opinion, C is less good than B because in C you deny access to whatever bucket, not only the external one.
upvoted 1 times
...
roguecloud
2 years, 3 months ago
A & B. Boils down like this: A. Correct, this is the first action, and best practice first securing S3 -> Instance communication. B. This appears to be correct , however would negate IF A is done and IF that proxy is ONLY for S3 communication, then advisable to remove the proxy server. C. Don't want to do this, this will break any other workloads in the Subnet, AND note from the question " Legitimate access to S3 is required" D. This is potentially close, the red flag is the "public IP addresses associated with the server" (it SHOULD not have any as it is getting internet access through the proxy, as stated), and hopefully in a private subnet as it is sensitive data. E. Definitely Not.
upvoted 3 times
...
razguru
2 years, 3 months ago
A : Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1 -- Correct B. Block outbound access to public S3 endpoints on the proxy server. -- Correct, proxy server uses rule set to allow/deny the traffic so it is a viable place to tighten the security. C. Configure Network ACLs on Server X to deny access to Shttps://www.examtopics.com/exams/amazon/aws-certified-security-specialty/view/#3 endpoints. - Incorrect because NACL does apply to subnet level not to server alone.
upvoted 1 times
...
boooliyooo
2 years, 3 months ago
Selected Answer: AD
Option B, blocking outbound access to public S3 endpoints on the proxy server, would prevent the legitimate access to the S3 bucket that the application needs in order to upload encrypted files. While this would prevent the malicious employee from exfiltrating data to a public S3 bucket, it would also prevent the application from functioning as intended, which could negatively impact business operations. Therefore, this option would not be the best choice to mitigate the threat in this scenario.
upvoted 5 times
...
sakibmas
2 years, 4 months ago
Selected Answer: AB
- Network ACL can not be applied on server X - Security group rule can not deny traffic
upvoted 2 times
...
exam67
2 years, 4 months ago
Selected Answer: AB
With A you prevent upload to all bucket except the one you control for all traffic going through VPC endpoint. With B you prevent upload to all buckets (including the one you control) in case the intruder bypasses the VPC endpoint.
upvoted 4 times
...
gg12345
2 years, 5 months ago
Selected Answer: AB
Agree with other comments.
upvoted 1 times
...
sakibmas
2 years, 7 months ago
The proxy server is not able to inspect any of the server communication due to TLS encryption. Thus, Block outbound access to public S3 endpoints on the proxy server can not be accurate. I will go with A & C
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago