AWS Certified Security – Specialty (SCS-C02) — Question 133

A company has an application that needs to get objects from an Amazon S3 bucket. The application runs on Amazon EC2 instances.

All the objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The resources in the VPC do not have access to the internet and use a gateway VPC endpoint to access Amazon S3.

The company discovers that the application is unable to get objects from the S3 bucket.

Which factors could cause this issue? (Choose three.)

Answer options

• A. The IAM instance profile that is attached to the EC2 instances does not allow the s3:ListBucket action for the S3 bucket.
• B. The IAM instance profile that is attached to the EC2 instances does not allow the s3:ListParts action for the S3 bucket.
• C. The KMS key policy that encrypts the objects in the S3 bucket does not allow the kms:ListKeys action to the EC2 instance profile ARN.
• D. The KMS key policy that encrypts the objects in the S3 bucket does not allow the kms:Decrypt action to the EC2 instance profile ARN.
• E. The S3 bucket policy does not allow access from the gateway VPC endpoint.
• F. The security group that is attached to the EC2 instances is missing an inbound rule from the S3 managed prefix list over port 443.

Correct answer: A, D, E

Explanation

The correct answers A, D, and E are crucial for allowing the EC2 instances to access the S3 bucket. Specifically, A addresses the necessary permissions to list the bucket's contents, D is essential for decrypting the objects using the KMS key, and E ensures that the bucket policy permits access from the VPC endpoint. Options B and C are not correct because they either pertain to actions not required for retrieving objects or do not directly impact access from the EC2 instances to the S3 bucket.