Answer-first summary for fast verification
Answer: Update the policy on the S3 gateway endpoint to allow S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
The correct solution is to update the policy on the S3 gateway endpoint to allow S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values. This ensures that only resources and principals within the company's AWS Organization can access the S3 buckets. Although an instance profile role policy is also important, it does not prevent compromised instances from accessing external S3 buckets. Additionally, network ACL rules are not effective in this scenario because the S3 gateway endpoint facilitates internal VPC communication. Applying a Service Control Policy (SCP) at the organizational level could work, but it is more complex and less targeted compared to updating the S3 gateway endpoint policy.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company operates a long-running data analysis process on AWS, utilizing Amazon S3 buckets for data storage and a fleet of Amazon EC2 instances managed by an Auto Scaling group for processing. These EC2 instances are located in a private subnet of a VPC without internet access and connect to the S3 buckets through an S3 gateway endpoint with a default access policy. Each EC2 instance is equipped with an instance profile role that permits specific S3 actions for designated buckets. Recently, the company identified that several EC2 instances have been compromised, resulting in unauthorized data exfiltration to an S3 bucket outside their AWS Organization. To address this security breach and ensure the continued operation of the data processing job, a security engineer is tasked with implementing a solution. Which of the following solutions should the engineer select to effectively prevent data exfiltration while maintaining the functionality of the EC2 instances?
A
Update the policy on the S3 gateway endpoint to allow S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.
B
Update the policy on the instance profile role to allow S3 actions only if the value of the aws:ResourceOrgID condition key matches the company's value.
C
Add a network ACL rule to the subnet of the EC2 instances to block outgoing connections on port 443.
D
Apply an SCP on the AWS account to allow S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values.