A company is using AWS to run a long-running analysis process on data that is stored in A…

Question

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account.
The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy. Each EC2 instance is associated with an instance profile role that has a policy that explicitly allows the s3:GetObject action and the s3:PutObject action for only the required S3 buckets.
The company learns that one or more of the EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. A security engineer must implement a solution to stop this exfiltration of data and to keep the EC2 processing job functional.
Which solution will meet these requirements?

Accepted Answer

Correct answer: A. A. Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values. — The correct answer is A because updating the S3 gateway endpoint policy to include organization-specific condition keys ensures that only resources within the company's organization can be accessed, effectively preventing data exfiltration. Option B is incorrect as it only addresses the instance profile role, which does not control access at the endpoint level. Option C would block all outbound connections on port 443, disrupting legitimate S3 access. Option D deals with account-level controls rather than the specific S3 gateway endpoint necessary for this scenario.

AWS Certified Security – Specialty (SCS-C02) — Question 56

Answer options

Correct answer: A

Explanation