AWS Certified Security - Specialty Exam: Enable Development Team Access to Restricted S3 Buckets

Enable Development Team Access to Restricted S3 Buckets

Question

You are a security admin for Organizational Unit named “DataAnalyticsTeam”.You wish to streamline some of the security processes and delegate some security tasks to the development team.

To this end, you wish to enable the development team to create roles and policies that can be attached to the various AWS services they are using.

However, the services that they create should be able to access S3 buckets restricted to only the “us-west-1” region.

The development team members have the “DeveloperRole” IAM Role assigned to them.

What combination of steps below will accomplish this task (Select THREE)?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: B, C, and D.

Option A is incorrect because using OU and SCP in this scenario will limit access to the entire OU, not just the development team.

Option B is CORRECT because the correct solution is to use permission boundaries.

Option C is CORRECT because the appropriate solution is to use permission boundaries.

Option D is CORRECT because the appropriate solution is to use permission boundaries and create the IAM policy which is later attached to the DeveloperRole.

Option E is incorrect because using OU and SCP in this scenario will limit access to the entire OU, not just the development team.

The correct solution in this scenario is to use permission boundaries:

Create an IAM policy to allow access to S3 buckets in the desired region (Option B).

Create an IAM policy that will allow the creation of roles with a permission boundary (Option C).This will enable developers to create new roles/policies that have restrictions.

Attach IAM policy to the developer's team role (Option D).

The use of SCP and OU is not applicable in this scenario because limiting access to a specific region via SCP will also affect other members of the OU and not just the development team.

Reference:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/ https://awssecworkshops.com/builder-sessions/permission-boundary/build/

To accomplish the task of enabling the development team to create roles and policies that can be attached to the various AWS services they are using, while ensuring that the services that they create can access S3 buckets restricted to only the “us-west-1” region, we need to take the following steps:

  1. Create an S3Actions policy (either as an SCP policy or an IAM policy) that restricts S3 access to the us-west-1 region only.

  2. Create a CreateRoles IAM policy that allows the development team to create roles, but only if those roles have the S3Actions policy as their permissions boundary.

  3. Attach the CreateRoles IAM policy to the DeveloperRole IAM role assigned to the development team members.

  4. Attach the S3Actions policy to the DataAnalyticsTeam OU using the AWS CLI command.

Therefore, the correct combination of steps to accomplish this task is:

A. Create “S3Actions” SCP Policy:

json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3RestrictionsPolicy", "Effect": "Deny", "Action": "S3:GetObject", "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": "us-west-1" } } } ] }

This policy denies S3:GetObject action on all resources except for those in the us-west-1 region.

B. Create “S3Actions” IAM Policy:

json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3RestrictionsPolicy", "Effect": "Allow", "Action": " S3:GetObject ", "Resource": " *", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-1" } } } ] }

This policy allows S3:GetObject action on all resources only in the us-west-1 region.

C. Create “CreateRoles” IAM Policy:

json
{ "Sid": "CreateRoles", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": [ "arn:aws:iam::ACCOUNT_ID:role/*" ], "Condition": {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/S3Actions"} } }

This policy allows the development team to create roles, but only if those roles have the S3Actions policy as their permissions boundary.

D. Execute AWS CLI command:

c
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/CreateRoles --role-name DeveloperRole

This command attaches the CreateRoles IAM policy to the DeveloperRole IAM role assigned to the development team members.

E. Execute the AWS CLI command:

python
AWS organizations attach-policy --policy-id S3Actions --target-id DataAnalyticsTeam.

This command attaches the S3Actions policy to the DataAnalyticsTeam OU.

In summary, the correct combination of steps is A, B, C, and D.