Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam SCS-C02 Topic 5 Question 20 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 20
Topic #: 5
[All SCS-C02 Questions]

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.

The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this:

The centralized S3 bucket policy looks like this:

Why is the Security Engineer unable to access the log files?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


by Cristen at May 31, 2024, 06:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Mignon
24 days ago
I'm guessing the engineer is wishing they had a magic 'fix-all-my-problems' button right about now.
upvoted 0 times
...
Naomi
25 days ago
Haha, maybe the engineer just needs to take a step back and remember the golden rule: 'Grant the least privilege necessary.'
upvoted 0 times
Carey
2 days ago
The bucket policy doesn't allow access from the Engineer's IAM user.
upvoted 0 times
...
Tatum
12 days ago
The Engineer's IAM user policy is too restrictive.
upvoted 0 times
...
...
Geoffrey
27 days ago
But the engineer's IAM policy also doesn't grant the required permissions to read objects in the S3 bucket. Both the bucket policy and the IAM policy need to be fixed.
upvoted 0 times
...
Vicky
28 days ago
I agree, the bucket policy is the problem here. The engineer needs to update the policy to grant the necessary permissions.
upvoted 0 times
Aracelis
14 days ago
The bucket policy is too restrictive.
upvoted 0 times
...
...
Veronika
2 months ago
The issue seems to be with the S3 bucket policy. It doesn't explicitly allow the Security Engineer's IAM user to access the objects in the bucket.
upvoted 0 times
Sharika
5 days ago
D: It seems like the s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level.
upvoted 0 times
...
Amira
12 days ago
C: The object ACLs should also be updated to allow users within the centralized account to access the objects.
upvoted 0 times
...
Alex
23 days ago
B: That's right, the Security Engineer's IAM policy needs to grant permissions to read objects in the S3 bucket.
upvoted 0 times
...
Tuyet
28 days ago
A: The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.
upvoted 0 times
...
...
Evan
2 months ago
Maybe the IAM policy of the Security Engineer also needs to be adjusted to grant permissions to read objects in the S3 bucket.
upvoted 0 times
...
Lashon
2 months ago
I agree with Viola. The bucket policy needs to be updated to grant access to the Security Engineer.
upvoted 0 times
...
Viola
2 months ago
I think the Security Engineer is unable to access the log files because the S3 bucket policy does not explicitly allow access.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77