SCS-C02 Question #89: Real Exam Question with Answer & Explanation

Question

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching. What is the FASTEST way to prevent the sensitive data from being exposed?

Options

• ADownload the data from the existing S3 bucket to a new EC2 instance. Then delete the data from
• BBlock access to the public range of S3 endpoint IP addresses by using a host-based firewall.
• CRevoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to
• DDisable the current key. Create a new KMS key that the IAM role does not have access to, and

Explanation

Revoking active IAM role sessions and denying access via S3 bucket policy immediately invalidates all existing credentials and blocks new requests, stopping data exposure without requiring instance shutdown.

Common mistakes.

• A. Downloading 2 TB of data to a new instance and deleting the original is extremely time-consuming and not the fastest option for preventing immediate exposure.
• B. Blocking S3 endpoint IP ranges at the host firewall is unreliable because S3 uses many IP addresses and this approach may not block all access paths, including VPC endpoints.
• D. Creating a new KMS key and re-encrypting 2 TB of existing data is a lengthy process that does not provide immediate protection.

Concept tested. Immediate credential revocation and S3 bucket policy deny

Reference. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html

No community discussion yet for this question.