Security Alerts for Amazon S3 API Actions
Question
An Educational Institute is saving all its digital learning material in an Amazon S3 bucket.
During a routine security audit, it was observed that Amazon S3 API was invoked from the malicious IP address to access the learning material last month.
Security Head is looking for a proactive alert for such API actions to take corrective actions promptly. Which service can be used to view these security alerts?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
Amazon GuardDuty can be used to monitor object-level API actions within Amazon S3 buckets.
This can identify any security risks for data saved in the Amazon S3 bucket.
Amazon GuardDuty uses AWS CloudTrail management events and CloudTrail S3 data events to analyze security risks.
Option B is incorrect as Amazon Macie can be used to detect sensitive data stored in the Amazon S3 bucket.
It is not a correct service to identify malicious IP addresses invoking Amazon S3 API.
Option C is incorrect as Amazon S3 inventory is for managing Amazon S3 storage.
Option D is incorrect as Amazon Server Access logs will record requests made to the Amazon S3 bucket.
It is not a correct service to identify malicious IP addresses invoking Amazon S3 API.
For more information on Amazon GuardDuty S3 protection, refer to the following URL,
https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.htmlThe correct answer is B. Review Amazon Macie alerts for this Amazon S3 bucket.
Explanation: Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS. It can automatically discover and classify data stored in Amazon S3, and generate alerts based on pre-defined policies to help you identify potential security threats.
In this scenario, since the Educational Institute is saving all its digital learning material in an Amazon S3 bucket, it can use Amazon Macie to monitor the bucket for any unauthorized access attempts. When Amazon S3 API is invoked from the malicious IP address to access the learning material last month, Amazon Macie will generate an alert based on the pre-defined policy that indicates such behavior as a security threat.
Hence, to view these security alerts, the Security Head of the Educational Institute can review the Amazon Macie alerts for the Amazon S3 bucket that contains the learning material. This will help the Educational Institute take corrective actions promptly to mitigate any potential security risks.
Option A, Review Amazon GuardDuty findings, is incorrect because GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. Although it can detect unauthorized access to S3 buckets, it does not provide alerts specifically for S3 API access.
Option C, Review Amazon S3 inventory files, is incorrect because S3 inventory is a feature that provides a scheduled or on-demand report that lists all objects within an S3 bucket or across several buckets. It does not provide any security alerts for unauthorized access attempts.
Option D, Review Amazon S3 Server Access logs, is incorrect because S3 Server Access logs are generated when S3 objects are accessed via requests made to S3 bucket. These logs are useful for troubleshooting, but do not provide any security alerts for unauthorized access attempts.
