AWS Certified Security – Specialty — Question 288

A development team recently deployed a Java application on a default AWS Elastic Beanstalk environment. The application is unable to connect to an Amazon S3 bucket that has a default configuration in the same account.
What should a security engineer do to troubleshoot this issue?

Answer options

• A. Confirm that the Elastic Beanstalk service role has access to Amazon S3.
• B. Confirm that the Elastic Beanstalk instance profile has access to Amazon S3.
• C. Confirm that the AWSElasticBeanstalkFullAccess managed policy is attached to the Elastic Beanstalk environment.
• D. Confirm that the S3 bucket policy allows access from the Elastic Beanstalk application ARN.

Correct answer: B

Explanation

Applications deployed via AWS Elastic Beanstalk run on Amazon EC2 instances, which retrieve their permissions from the associated EC2 instance profile rather than the Elastic Beanstalk service role. Therefore, to allow the application to connect to Amazon S3, the instance profile must have the appropriate IAM permissions. The Elastic Beanstalk service role is only used by the service itself to provision and manage environment resources.