ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 287 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 287
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS
KMS) customer managed key and an Amazon S3 bucket.
A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching.
What is the FASTEST way to prevent the sensitive data from being exposed?

  • A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.
  • B. Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.
  • C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
  • D. Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by dumma at Aug. 26, 2021, 12:29 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dumma
Highly Voted 3 years, 6 months ago
Agree it's C
upvoted 15 times
sapien45
2 years, 9 months ago
Truly appreciate your efforts in discussing are proving your point
upvoted 1 times
...
MWinter
2 years, 6 months ago
But how could you ensure the application will still be running correctly without IAM role attached(or permission disabled)?
upvoted 3 times
...
...
Raphaello
Most Recent 1 year, 2 months ago
Selected Answer: C
D is a valid solution, but not the fastest as requested. Plus, old or new KMS key are both equally same for an attacker who has access to the EC2/role that's allowed to use the key. The solution needs to be with the role itself to eliminate further access to sensitive data. Revoke current active session permissions, set S3 bucket policy to deny the role, and remove the role altogether from EC2 instance profile. C.
upvoted 1 times
...
aws_SA
2 years, 2 months ago
C is the answer
upvoted 1 times
...
jishrajesh
2 years, 3 months ago
Selected C
upvoted 1 times
...
vikaswalajay
2 years, 7 months ago
Very tricky answer is C, focus on line "due to other critical operation" means we can stop access to s3 for temporary till patching done. and role only has access to s3, so removing role is not a problem. if role is removed than revoking active session is better.
upvoted 4 times
...
vbal
2 years, 7 months ago
All Active Sessions must be dropped immediately first. C.
upvoted 1 times
...
dcasabona
2 years, 8 months ago
Selected Answer: C
Options C and D are corrected, but option C is the fastest method, which is been requested.
upvoted 2 times
...
f4bi4n
3 years ago
C could have an impact on the other services running on the instance. In the question is written "used by the app" but in C "... remove from the ec2 instance profile". So perhaps D would be a better choice
upvoted 2 times
...
Radhaghosh
3 years, 3 months ago
Selected Answer: C
C. Revoke the IAM roleג€™s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
upvoted 1 times
...
Radhaghosh
3 years, 3 months ago
C. Revoke the IAM roleג€™s active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.
upvoted 1 times
...
MillarD
3 years, 3 months ago
Selected Answer: D
C - Not Correct - there is nothing like active session D - Correct , you can disable key for time being. Fix the issue. Use new key and reencrypt data. Schedule old key for deletion.
upvoted 1 times
justfmm
3 years, 3 months ago
IAM immediately attaches a policy named AWSRevokeOlderSessions to the role. The policy denies all access to users who assumed the role before the moment you chose Revoke active sessions. Any user who assumes the role after you chose Revoke active sessions is not affected. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
upvoted 2 times
...
sapien45
2 years, 9 months ago
E- Do your researches https://www.netskope.com/wp-content/uploads/2019/08/Securing-AWS-Temoiraryy-Tokens-5-1024x666.png
upvoted 1 times
...
...
Sisun
3 years, 4 months ago
Selected Answer: C
C as agreed
upvoted 2 times
...
hk436
3 years, 6 months ago
C is my answer.!
upvoted 1 times
...
CloudMasterGuru
3 years, 6 months ago
C is the answer
upvoted 1 times
...
kiev
3 years, 6 months ago
C for me too
upvoted 2 times
...
stamford
3 years, 6 months ago
It is C
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago