AWS Certified Security – Specialty (SCS-C03) — Question 52

A healthcare company stares mare than 1 million patient records in an Amazon S3 bucket. The patient records include personally identifiable information (Pit). The S3 bucket contains hundreds of terabytes of data.
A security engineer receives an alert that was triggered by an Amazon GuardDuty Exfiltration:S3/AnomalousBehavior finding. The security engineer confirms that an attacker is using temporary credentials that were obtained from a compromised Amazon EC2 instance that has s3:GetObject permissions for the S3 bucket. The attacker has begun downloading the contents of the bucket. The security engineer contacts a development team. The development team will require 4 hours to implement and deploy a fix.
The security engineer must take immediate action to prevent the attacker from downloading more data from the S3 bucket.
Which solution will moot this requirement?

Answer options

• A. Revoke the temporary session that is associated with the instance profile that is attached to the EC2 instance.
• B. Quarantine the EC2 instance by replacing the existing security group with a new security group that has no rules applied.
• C. Enable Amazon Made on the S3 bucket. Configure the managed data identifiers for personally identifiable information (PII). Enable S3 Object Lock on objects that Macie flags.
• D. Apply an S3 bucket policy temporarily. Configure the policy to deny read access for all principals to block downloads while the development team address the vulnerability.

Correct answer: A

Explanation

The correct answer is A because revoking the temporary session will immediately terminate the attacker's access to the S3 bucket. Option B may isolate the instance but does not stop the current download. Option C focuses on future prevention rather than immediate action, and option D, while potentially effective, requires time to implement and may not stop the ongoing attack right away.