SCS-C03 · Question #24
SCS-C03 Question #24: Real Exam Question with Answer & Explanation
The correct answer is C: Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to. AWS incident response best practices emphasize rapid containment to prevent further data exposure. According to the AWS Certified Security - Specialty Study Guide, the fastest and least disruptive containment method for compromised compute resources is to immediately revoke crede
Question
An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching. What is the FASTEST way to prevent the sensitive data from being exposed?
Options
- ADownload the data from the existing S3 bucket to a new EC2 instance. Then delete the data from
- BBlock access to the public range of S3 endpoint IP addresses by using a host-based firewall.
- CRevoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to
- DDisable the current key. Create a new KMS key that the IAM role does not have access to, and
Explanation
AWS incident response best practices emphasize rapid containment to prevent further data exposure. According to the AWS Certified Security - Specialty Study Guide, the fastest and least disruptive containment method for compromised compute resources is to immediately revoke credentials and permissions rather than modifying data or infrastructure. Revoking the IAM role's active sessions prevents the EC2 instance from continuing to access AWS services. Updating the S3 bucket policy to explicitly deny access to the IAM role ensures immediate enforcement, even if temporary credentials remain cached. Removing the IAM role from the instance profile further prevents new credentials from being issued. Option A and D involve large-scale data movement or re-encryption, which is time-consuming and operationally expensive. Option B relies on network-level controls that do not prevent access through private AWS endpoints. AWS guidance explicitly recommends credential revocation and policy-based denial as the fastest containment step during active incidents.
Community Discussion
No community discussion yet for this question.