AWS Certified Security – Specialty — Question 342

A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue. All the company’s accounts are within an organization in AWS Organizations. The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

Answer options

• A. Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.
• B. In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.
• C. Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.
• D. Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Correct answer: C

Explanation

Option C is correct because interface VPC endpoints allow private communication with Amazon SQS, and using the aws:SourceVpce and aws:PrincipalOrgId conditions ensures that only authorized entities within the AWS Organization can access the queue. Options A and B are incorrect because SQS is a multi-tenant service that does not natively support security groups or network ACLs directly. Option D is incorrect because it requires a third-party CASB, violating the requirement to minimize tools outside of AWS.