A company has an application that stores data in a single Amazon S3 bucket. The company must keep all data for 1 year. The company’s security team is concerned that an attacker could gain access to the AWS account through leaked long-term credentials.
Which solution will ensure that existing and future objects in the S3 bucket are protected?
To ensure that existing and future objects in the S3 bucket are protected against unauthorized access or deletion due to leaked long-term credentials, the best solution is to use an isolated account setup where only the security team can assume roles to manage it. By creating a new AWS account specifically for the security team, setting up an S3 bucket with Versioning and Object Lock enabled, and configuring a default retention period of 1 year, the data is protected from accidental or malicious deletion. Additionally, replicating the existing bucket's contents to the new S3 bucket ensures that even if the original account's credentials are compromised, the data remains secure in the new bucket. This approach combines the principles of least privilege, account isolation, and data integrity measures to offer robust protection.
S3 Object Lock - prevents objects from being deleted or overwritten for a fixed amount of time or indefinitely, adding a layer of protection against malicious or accidental deletion. Replication - to a new account limits the risk of a single point of compromise; even if attackers gain access to the original account, they cannot alter or delete the locked objects in the replicated bucket. Versioning - keeps multiple versions of an object in an S3 bucket, providing additional security and recovery options.
A ans : https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
Option A: Amazon S3 now allows you to enable S3 Object Lock for existing buckets with just a few clicks and to enable S3 Replication for buckets using S3 Object Lock https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-s3-enabling-object-lock-buckets/#:~:text=To%20lock%20existing%20objects%2C%20you,of%20objects%20at%20a%20time.
The question is, as so often, misleading. None of the alternatives deal with _access_, only with modification.
Option D is the only option that addresses security risk. Option A is not addressing this - Replicating existing bucket to another bucket does not eliminate the risk due to original bucket credential leak.
The question is looking for solution for “concerned that an attacker could gain access to the AWS account through leaked long-term credentials”. None of the answer is addressing the concern of “Access” Through “leaked long-term credentials”. The is question doesn’t mention anything about data loss concerns, while, all the answers are providing protection for deleting the data.
creating new account accessed by security team members is action taken to avoid the risk through leaked long-term credentials of existing account so Option A
https://repost.aws/knowledge-center/s3-cross-account-replication-object-lock
A assume role to provide short-term credential
Answer is D. It's the only one that specifically addresses the issue. The question never said only the security team needs access.
The answer is a. It's the only one that prevents the data from being deleted by attackers that get access using long term credential. GuardDuty is a monitoring system. By itself, it doesn't actually stop anything from happening. It also likely wouldn't catch use of existing long-term credentials as malicious.
Enabling GuardDuty with S3 protection and adding a lifecycle rule to delete objects after 1 year focuses on monitoring for threats and managing object lifecycle but: Does not prevent the deletion or alteration of objects by an attacker who has gained access. S3 protection in GuardDuty helps identify suspicious access patterns but after-the-fact rather than preventing unauthorized changes.
Correct Answer is A