SCS-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

SCS-C01 Exam - Question 9

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:

Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.

Server X has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an

S3 bucket. Server X is currently using an IAM instance role. The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat? (Choose two.)

Show Answer
Correct Answer: AB

To mitigate the threat of data exfiltration to an unauthorized S3 bucket, it is necessary to implement controls that restrict S3 access to only the intended and authorized S3 buckets. Using an S3 VPC endpoint and configuring its policy to whitelist specific S3 buckets within the authorized AWS account ensures that Server X can only interact with permitted S3 buckets, bypassing the proxy server. Additionally, blocking outbound access to public S3 endpoints at the proxy server will prevent any attempts by the rogue employee to bypass the VPC endpoint and upload data to unauthorized S3 buckets. This combination ensures legitimate access is maintained while preventing unauthorized data exfiltration.

Discussion

17 comments
Sign in to comment
Nebolos
Sep 21, 2021

A & B for me

Hungdv
Oct 10, 2021

A and B. You can not block vpc endpoint at security group, but can use cli to find vpc endpoint IP range and block that IPs in proxy configuration. C could work but you don't want block vpc endpoint at subnet because it affects all instance in that subnet. https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

Gustava6272
Oct 23, 2021

A and B , but your 2nd reasoning is wrong, SG can block VPCE . You cannot use an AWS prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use an AWS prefix list ID in an outbound security group rule . Ref Gateway endpoint limitation section at https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html

Bosch123
Sep 15, 2022

A and C. A - definite reason for secure s3 access Not B - because security group can't block any IP/Prefix(it only Allows). Also proxy server had internet access that means Proxy Server's SG must allow outbound to 0.0.0.0. Only C - can block VPC Endpoint IP Range in the proxy server subnet NACL. Although it will apply the same rule for any server in that subnet.

Robert0
Jun 4, 2023

But option B (Block outbound access to public S3 endpoints on the proxy server) explicitly says that is the proxy who blocks the request, not the Security Group.

boooliyoooOptions: AD
Jan 16, 2023

Option B, blocking outbound access to public S3 endpoints on the proxy server, would prevent the legitimate access to the S3 bucket that the application needs in order to upload encrypted files. While this would prevent the malicious employee from exfiltrating data to a public S3 bucket, it would also prevent the application from functioning as intended, which could negatively impact business operations. Therefore, this option would not be the best choice to mitigate the threat in this scenario.

exam67Options: AB
Dec 14, 2022

With A you prevent upload to all bucket except the one you control for all traffic going through VPC endpoint. With B you prevent upload to all buckets (including the one you control) in case the intruder bypasses the VPC endpoint.

roguecloud
Jan 28, 2023

A & B. Boils down like this: A. Correct, this is the first action, and best practice first securing S3 -> Instance communication. B. This appears to be correct , however would negate IF A is done and IF that proxy is ONLY for S3 communication, then advisable to remove the proxy server. C. Don't want to do this, this will break any other workloads in the Subnet, AND note from the question " Legitimate access to S3 is required" D. This is potentially close, the red flag is the "public IP addresses associated with the server" (it SHOULD not have any as it is getting internet access through the proxy, as stated), and hopefully in a private subnet as it is sensitive data. E. Definitely Not.

CDV_fr
Sep 21, 2022

Can't be A & B ! A says "bypass proxy" and B "restrict on proxy". Then routing is not enforced. A and C is correct.

sakibmas
Sep 26, 2022

The proxy server is not able to inspect any of the server communication due to TLS encryption. Thus, Block outbound access to public S3 endpoints on the proxy server can not be accurate. I will go with A & C

sakibmasOptions: AB
Dec 24, 2022

- Network ACL can not be applied on server X - Security group rule can not deny traffic

Robert0Options: AB
Jun 4, 2023

I think AB are correct. C is not compatible with A. In option A we're enabling VPC endpoints to access directly to the S3 bucket and option C deny the traffic to the VPC S3 endpoints

Green53Options: AB
Jun 26, 2023

B - Block outbound access to S3, so it has to go through the endpoint A - Reduce the buckets that can be accessed via the endpoint C - This may impact multiple workloads D - You don't want public IPs whitelisted E - Just a bad idea

gg12345Options: AB
Nov 11, 2022

Agree with other comments.

razguru
Jan 18, 2023

A : Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1 -- Correct B. Block outbound access to public S3 endpoints on the proxy server. -- Correct, proxy server uses rule set to allow/deny the traffic so it is a viable place to tighten the security. C. Configure Network ACLs on Server X to deny access to Shttps://www.examtopics.com/exams/amazon/aws-certified-security-specialty/view/#3 endpoints. - Incorrect because NACL does apply to subnet level not to server alone.

matrproOptions: AB
Apr 29, 2023

In my opinion, C is less good than B because in C you deny access to whatever bucket, not only the external one.

unravikumarOptions: AB
May 26, 2023

AB seems correct to me

Benah
Sep 12, 2023

A & B for me

RaphaelloOptions: AB
Feb 11, 2024

We want to deny the host from uploading our data to external account's S3 bucket. 1. block access to public S3 endpoints 2. bypass the proxy to reach out to our own S3 VPC endpoint Correct answers: AB

Deyemzy
Jun 10, 2024

A & B --------- C might seem viable, but Network ACLs (NACLs) are stateless and do not offer the fine-grained control needed to allow legitimate S3 access while blocking unauthorized S3 endpoints.

jlggross
Jul 16, 2024

For me C is wrong because of this part of the enunciate: "Legitimate access to S3 is required". That said, you should NOT have NACLs blocking access to S3 buckets, access to S3 buckets is required.