AWS Certified Security – Specialty — Question 312

A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket. The log files are encrypted using AWS KMS. A security engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance. The security engineer is unable to access the logs in the S3 bucket and receives an access denied error message.

What should the security engineer do to fix this issue?

Answer options

• A. Check that the role the security engineer uses grants permission to decrypt objects using the KMS CMK.
• B. Check that the role the security engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
• C. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects.
• D. Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK.

Correct answer: C

Explanation

Because the third-party tool is running on an Amazon EC2 instance, it uses the permissions of the EC2 instance profile to make API calls to AWS. To access and read the encrypted logs, this EC2 instance profile's IAM role must have permissions to both retrieve objects from the S3 bucket and decrypt those objects using the KMS CMK. Options A and B are incorrect because the permissions must be attached to the instance profile rather than the engineer's user role, and Option D is incorrect because it fails to grant the required S3 bucket access.