A security team is developing an application on an Amazon EC2 instance to get objects fro…

Question

A security team is developing an application on an Amazon EC2 instance to get objects from an Amazon S3 bucket. All objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) CMK. All network traffic for requests that are made within the VPC is restricted to the AWS infrastructure. This traffic does not traverse the public internet. The security team is unable to get objects from the S3 bucket. Which factors could cause this issue? (Choose three.)

Accepted Answer

Correct answer: A, D, E. A. The IAM instance profile that is attached to the EC2 instance does not allow the s3:ListBucket action to the S3 bucket in the AWS accounts. — D. The KMS key policy that encrypts the object in the S3 bucket does not allow the kms:Decrypt action to the EC2 instance profile ARN. — E. The security group that is attached to the EC2 instance is missing an outbound rule to the S3 managed prefix list over port 443. — To successfully retrieve and decrypt the objects privately, the EC2 instance's IAM role needs s3:ListBucket permissions to locate the objects, and the KMS key policy must allow the kms:Decrypt action to decrypt the encrypted S3 objects. Additionally, because the traffic is kept within the AWS private network (typically using an S3 Gateway Endpoint), the EC2 instance's security group must explicitly allow outbound HTTPS traffic (port 443) to the S3 managed prefix list. Inbound rules on the EC2 security group are not required for this outbound-initiated connection, and actions like s3:ListParts or kms:ListKeys are unnecessary for simple object retrieval.

AWS Certified Security – Specialty — Question 300

Answer options

Correct answer: A, D, E

Explanation