An application is operating on an Amazon EC2 instance equipped with an IAM role that has permissions to access a customer-managed AWS KMS key and an Amazon S3 bucket storing 2 TB of sensitive data. A security vulnerability has been detected on the EC2 instance, which could potentially lead to the exposure of the sensitive data. However, due to critical operational constraints, the instance cannot be immediately taken offline for vulnerability patching. What is the quickest approach to mitigate the risk of sensitive data exposure?

Exam-Like

Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket.

0.0%

Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall.

25.0%

Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

75.0%

Disable the current key. Create a new KMS key that the IAM role does not have access to, and re-encrypt all the data with the new key. Schedule the compromised key for deletion.

0.0%

AWS Certified Security - Specialty

Comments

Get started today