AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A security engineer is tasked with using Amazon EC2 Image Builder to create an image of an EC2 instance. The engineer has set up the pipeline to send logs to an Amazon S3 bucket. However, when running the pipeline, the build fails with an 'AccessDenied: Access Denied' error, status code 403. To resolve this issue while adhering to least privilege access best practices, which two steps should the engineer take?
A security engineer is tasked with using Amazon EC2 Image Builder to create an image of an EC2 instance. The engineer has set up the pipeline to send logs to an Amazon S3 bucket. However, when running the pipeline, the build fails with an 'AccessDenied: Access Denied' error, status code 403. To resolve this issue while adhering to least privilege access best practices, which two steps should the engineer take?
Explanation:
The 'AccessDenied: Access Denied' error with status code 403 indicates a permissions issue. According to best practices for least privilege access, the security engineer should ensure that the necessary policies are attached to the instance profile for the EC2 instance and that the instance profile has the required permissions to put objects in the S3 bucket. Option B ensures that the required policies are attached to the instance profile for the EC2 instance (EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore). Option E ensures that the instance profile has the s3:PutObject permission for writing to the S3 bucket. These steps align with AWS's recommended practices for resolving such access issues.