Examice

Exam SCS-C01 All QuestionsBrowse all questions from this exam

Question 9

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.

Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an

S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat? (Choose two.)

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Block outbound access to public S3 endpoints on the proxy server.

Configure Network ACLs on Server X to deny access to S3 endpoints.

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Correct Answer: A, B

To mitigate the threat of data exfiltration to an unauthorized S3 bucket, it is necessary to implement controls that restrict S3 access to only the intended and authorized S3 buckets. Using an S3 VPC endpoint and configuring its policy to whitelist specific S3 buckets within the authorized AWS account ensures that Server X can only interact with permitted S3 buckets, bypassing the proxy server. Additionally, blocking outbound access to public S3 endpoints at the proxy server will prevent any attempts by the rogue employee to bypass the VPC endpoint and upload data to unauthorized S3 buckets. This combination ensures legitimate access is maintained while preventing unauthorized data exfiltration.

Discussion

Nebolos

A & B for me

Hungdv

A and B. You can not block vpc endpoint at security group, but can use cli to find vpc endpoint IP range and block that IPs in proxy configuration. C could work but you don't want block vpc endpoint at subnet because it affects all instance in that subnet. https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

Gustava6272

A and B , but your 2nd reasoning is wrong, SG can block VPCE . You cannot use an AWS prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use an AWS prefix list ID in an outbound security group rule . Ref Gateway endpoint limitation section at https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html

Bosch123

A and C. A - definite reason for secure s3 access Not B - because security group can't block any IP/Prefix(it only Allows). Also proxy server had internet access that means Proxy Server's SG must allow outbound to 0.0.0.0. Only C - can block VPC Endpoint IP Range in the proxy server subnet NACL. Although it will apply the same rule for any server in that subnet.

Robert0

But option B (Block outbound access to public S3 endpoints on the proxy server) explicitly says that is the proxy who blocks the request, not the Security Group.

boooliyoooOptions: AD

Option B, blocking outbound access to public S3 endpoints on the proxy server, would prevent the legitimate access to the S3 bucket that the application needs in order to upload encrypted files. While this would prevent the malicious employee from exfiltrating data to a public S3 bucket, it would also prevent the application from functioning as intended, which could negatively impact business operations. Therefore, this option would not be the best choice to mitigate the threat in this scenario.

exam67Options: AB

With A you prevent upload to all bucket except the one you control for all traffic going through VPC endpoint. With B you prevent upload to all buckets (including the one you control) in case the intruder bypasses the VPC endpoint.

roguecloud

A & B. Boils down like this: A. Correct, this is the first action, and best practice first securing S3 -> Instance communication. B. This appears to be correct , however would negate IF A is done and IF that proxy is ONLY for S3 communication, then advisable to remove the proxy server. C. Don't want to do this, this will break any other workloads in the Subnet, AND note from the question " Legitimate access to S3 is required" D. This is potentially close, the red flag is the "public IP addresses associated with the server" (it SHOULD not have any as it is getting internet access through the proxy, as stated), and hopefully in a private subnet as it is sensitive data. E. Definitely Not.

Green53Options: AB

B - Block outbound access to S3, so it has to go through the endpoint A - Reduce the buckets that can be accessed via the endpoint C - This may impact multiple workloads D - You don't want public IPs whitelisted E - Just a bad idea

Robert0Options: AB

I think AB are correct. C is not compatible with A. In option A we're enabling VPC endpoints to access directly to the S3 bucket and option C deny the traffic to the VPC S3 endpoints

sakibmasOptions: AB

- Network ACL can not be applied on server X - Security group rule can not deny traffic

sakibmas

The proxy server is not able to inspect any of the server communication due to TLS encryption. Thus, Block outbound access to public S3 endpoints on the proxy server can not be accurate. I will go with A & C

CDV_fr

Can't be A & B ! A says "bypass proxy" and B "restrict on proxy". Then routing is not enforced. A and C is correct.

Deyemzy

A & B --------- C might seem viable, but Network ACLs (NACLs) are stateless and do not offer the fine-grained control needed to allow legitimate S3 access while blocking unauthorized S3 endpoints.

jlggross

For me C is wrong because of this part of the enunciate: "Legitimate access to S3 is required". That said, you should NOT have NACLs blocking access to S3 buckets, access to S3 buckets is required.

RaphaelloOptions: AB

We want to deny the host from uploading our data to external account's S3 bucket. 1. block access to public S3 endpoints 2. bypass the proxy to reach out to our own S3 VPC endpoint Correct answers: AB

Benah

A & B for me

unravikumarOptions: AB

AB seems correct to me

matrproOptions: AB

In my opinion, C is less good than B because in C you deny access to whatever bucket, not only the external one.

razguru

A : Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1 -- Correct B. Block outbound access to public S3 endpoints on the proxy server. -- Correct, proxy server uses rule set to allow/deny the traffic so it is a viable place to tighten the security. C. Configure Network ACLs on Server X to deny access to Shttps://www.examtopics.com/exams/amazon/aws-certified-security-specialty/view/#3 endpoints. - Incorrect because NACL does apply to subnet level not to server alone.

gg12345Options: AB

Agree with other comments.