Topic 1 Question 145
A developer operations team uses AWS Identity and Access Management (IAM) to manage user permissions. The team created an Amazon EC2 instance profile role that uses an AWS managed ReadOnlyAccess policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.
The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.
What should the administrator do to fix the IAM access issue?
Edit the ReadOnlyAccess policy to add kms:Decrypt actions
Add the EC2 IAM role as the authorized Principal to the S3 bucket policy
Attach an inline policy with kms:Decrypt permissions to the IAM role
Attach an inline policy with S3:* permissions to the IAM role
ユーザの投票
コメント(6)
- 正解だと思う選択肢: C
C is correct, ReadOnlyAccess is a administer policy by AWS, can't edit.
👍 2fibonacciname2024/05/23 - 正解だと思う選択肢: C
C is correct.
👍 2aescudero512024/05/28 C A. Edit ReadOnlyAccess Policy: Modifying the ReadOnlyAccess policy to include kms:Decrypt actions would grant these permissions to any role or user attached to that policy. This might be more permissive than necessary and could introduce security risks if the policy is used elsewhere. B. Add Role to S3 Bucket Policy: While adding the EC2 instance profile role to the S3 bucket policy would allow access, it bypasses IAM role-based access control and couples the policy directly to the instance role. This approach is less flexible and doesn't leverage the benefits of IAM roles for managing access. D. Attach Policy with S3: Permissions:* Granting S3:* permissions through an inline policy would provide excessive access to the application. It's essential to follow the principle of least privilege and only grant the necessary kms:Decrypt permissions for the specific KMS key used for encryption.
👍 1Nash1012024/05/19
シャッフルモード