SCS-C03 · Question #132
SCS-C03 Question #132: Real Exam Question with Answer & Explanation
Sign in or unlock SCS-C03 to reveal the answer and full explanation for question #132. The question stem and answer options stay visible for context.
Question
A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access. The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets. The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's AWS Organization. The processing job must continue to function. Which solution will meet these requirements?
Options
- AUpdate the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and
- BUpdate the instance profile role policy to require aws:ResourceOrgId.
- CAdd a network ACL rule to block outbound traffic on port 443.
- DApply an SCP that restricts S3 actions using organization condition keys.
Unlock SCS-C03 to see the answer
You've previewed enough free SCS-C03 questions. Unlock SCS-C03 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.