AWS Certified Security – Specialty — Question 418

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.

The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.
• B. Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.
• C. Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.
• D. Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.
• E. Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.

Correct answer: B, E

Explanation

During the EC2 Image Builder process, the build and test instances themselves execute the build tasks and upload logs, meaning permissions must be granted to the EC2 instance profile rather than the user launching the pipeline. To function correctly, this instance profile requires the standard Image Builder and Systems Manager managed policies, along with explicit s3:PutObject permissions to write logs to the target S3 bucket. Granting full access policies or applying permissions to the engineer's IAM role fails to address the instance's access requirements and violates least privilege best practices.