Best Practices for Securing EC2 Instances and Preventing Accidental Deletion of Objects
Question
Your company has a set of EC2 Instances that access data objects stored in an S3 bucket.
Your IT Security department is concerned about this architecture's security and wants you to implement the following. 1) Ensure that the EC2 Instance securely accesses the data objects stored in the S3 bucket. 2) Prevent accidental deletion of objects. What would be helpful to fulfill the requirements of the IT Security department? (SELECT TWO)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answers - B and D.
AWS Documentation mentions the following.
IAM roles are designed to securely make API requests from your instances without requiring you to manage the security credentials that the applications use.
Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles.
For more information on IAM Roles, please refer to the link below.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.htmlMFA Delete can be used to add another layer of security to S3 Objects to prevent accidental deletion of objects.
For more information on MFA Delete, please refer to the link below.
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/The two options that would fulfill the requirements of the IT Security department are:
A. Create an IAM user and ensure the EC2 Instances use the IAM user credentials to access the bucket data. B. Create an IAM Role and ensure the EC2 Instances use the IAM Role to access the bucket data.
Explanation:
A. Creating an IAM user and ensuring that the EC2 instances use the IAM user credentials to access the S3 bucket data will ensure secure access. IAM users allow you to create and manage AWS identities with access to AWS services and resources. You can grant IAM users permissions to access the S3 bucket and its objects by creating an IAM policy with the required permissions. IAM users are created within your AWS account and can be used to access AWS resources programmatically or via the AWS Management Console.
B. Creating an IAM role and ensuring that the EC2 instances use the IAM role to access the S3 bucket data is another way to provide secure access. IAM roles are similar to IAM users, but they are not associated with a specific user. IAM roles allow you to grant permissions to entities that you define, such as an EC2 instance or an AWS service. You can create an IAM role with permissions to access the S3 bucket and its objects and then associate the role with the EC2 instance. This way, the EC2 instance will assume the IAM role's permissions and access the S3 bucket securely.
C. Using S3 Cross-Region Replication is not directly related to the security requirements of the IT Security department. Cross-region replication allows you to replicate objects across different AWS regions for data durability and availability purposes. While it can help maintain data integrity, it is not a security feature that prevents unauthorized access or deletion of objects.
D. Using an S3 bucket policy that ensures that MFA Delete is set on the objects in the bucket can prevent accidental deletion of objects, but it does not directly address the requirement to ensure secure access. MFA Delete requires that the user has both their credentials and an MFA device to delete objects, which can help prevent accidental deletions. However, it is not a security feature that prevents unauthorized access to objects or ensures secure access from EC2 instances.
Therefore, options A and B are the correct answers.
