A company has a batch-processing system that uses Amazon S3, Amazon EC2, and AWS Key Mana…

Question

A company has a batch-processing system that uses Amazon S3, Amazon EC2, and AWS Key Management Service (AWS KMS). The system uses two AWS accounts: Account A and Account B. Account A hosts an S3 bucket that stores the objects that will be processed. The S3 bucket also stores the results of the processing. All the S3 bucket objects are encrypted by a KMS key that is managed in Account A. Account B hosts a VPC that has a fleet of EC2 instances that access the S3 bucket in Account A by using statements in the bucket policy. The VPC was created with DNS hostnames enabled and DNS resolution enabled. A security engineer needs to update the design of the system without changing any of the system's code. No AWS API calls from the batch-processing EC2 instances can travel over the internet. Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: A, C. A. In the Account B VPC, create a gateway VPC endpoint for Amazon S3. For the gateway VPC endpoint, create a resource policy that allows the s3:GetObject, s3:ListBucket, s3:PutObject, and s3:PutObjectAcl actions for the S3 bucket. — C. In the Account B VPC, create an interface VPC endpoint for AWS KMS. For the interface VPC endpoint, create a resource policy that allows the kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey actions for the KMS key. Ensure that private DNS is turned on for the endpoint. — The correct steps are A and C. Option A correctly sets up a gateway VPC endpoint for Amazon S3, ensuring that access to the S3 bucket remains within the AWS network. Option C is necessary for allowing EC2 instances to utilize the KMS key in Account A securely. The other options either utilize the wrong type of VPC endpoint or do not ensure proper DNS settings for KMS usage.

AWS Certified Security – Specialty (SCS-C02) — Question 174

Answer options

Correct answer: A, C

Explanation