DOP-C02 Question #38: Real Exam Question with Answer & Explanation

Question

A company is using an AWS CodeBuild project to build and package an application. The packages are copied to a shared Amazon S3 bucket before being deployed across multiple AWS accounts. The buildspec.yml file contains the following: The DevOps engineer has noticed that anybody with an AWS account is able to download the artifacts. What steps should the DevOps engineer take to stop this?

Options

• AModify the post_build command to use --acl public-read and configure a bucket policy that grants
• BConfigure a default ACL for the S3 bucket that defines the set of authenticated users as the
• CCreate an S3 bucket policy that grants read access to the relevant AWS accounts and denies
• DModify the post_build command to remove --acl authenticated-read and configure a bucket policy

Explanation

To prevent unauthorized artifact downloads from the S3 bucket, the DevOps engineer must remove the --acl authenticated-read flag from the aws s3 cp command in the buildspec.yml and implement a restrictive S3 bucket policy to grant read access only to authorized AWS accounts.

Common mistakes.

• A. Using --acl public-read would make the artifacts publicly accessible to anyone on the internet, which is a severe security vulnerability and exacerbates the problem.
• B. Configuring a default ACL that grants authenticated users access would continue or reintroduce the problem of overly permissive access for any AWS authenticated principal.
• C. While creating an S3 bucket policy to grant specific access is crucial, it may not effectively override an explicit, more permissive object ACL like authenticated-read if that ACL is still being applied during upload.

Concept tested. S3 access control with ACLs and bucket policies

Reference. https://docs.aws.amazon.com/AmazonS3/latest/userguide/acls-overview.html

No community discussion yet for this question.