AWS Certified Security - Specialty

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

The correct answer is C. The fastest way to prevent sensitive data from being exposed is to revoke the IAM role's active session permissions, update the S3 bucket policy to deny access to the IAM role, and remove the IAM role from the EC2 instance profile. This approach promptly revokes access, ensuring that the potentially compromised permissions are no longer valid and preventing any further access to the sensitive data. While disabling the KMS key (option D) could also protect the data, it involves multiple steps and might not be as instantaneous as revoking session permissions and updating the access policies immediately.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

An application is operating on an Amazon EC2 instance equipped with an IAM role that has permissions to access a customer-managed AWS KMS key and an Amazon S3 bucket storing 2 TB of sensitive data. A security vulnerability has been detected on the EC2 instance, which could potentially lead to the exposure of the sensitive data. However, due to critical operational constraints, the instance cannot be immediately taken offline for vulnerability patching. What is the quickest approach to mitigate the risk of sensitive data exposure?

Exam-Like

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

0.0%

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

20.0%

Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

80.0%

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.