AWS Certified SysOps Administrator - Associate Exam | S3 Bucket Security Measures

Security Measures for S3 Bucket Configuration Changes

Question

Your company has a set of files in an S3 bucket.

The CIO wants to be informed when any configuration changes occur on the S3 bucket.

Which of the following can be used as a security measure ensuring that you don't put too many access restrictions on the bucket for existing users?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

The AWS Documentation mentions the following.

AWS Config enables continuous monitoring of your AWS resources, making it simple to assess, audit, and record resource configurations and changes.

AWS Config does this by using rules that define the desired configuration state of your AWS resources.

AWS Config provides several AWS managed rules that address a wide range of security concerns, such as checking if you encrypted your Amazon Elastic Block Store (Amazon EBS) volumes, tagged your resources appropriately, and enabled multi-factor authentication (MFA) for root accounts.

Option A is incorrect since this will put a restriction on the bucket users.

Option C is incorrect since this option can only prevent from accidental deletion of objects.

Option D is incorrect since this puts a security risk for allowing anonymous access to users.

For more information on using AWS Config with S3, please refer to the below URL-

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/

The best solution for this scenario is B. Use an AWS Config rule to monitor the configuration changes of the S3 bucket and use SNS to send notifications to the security department.

Here's why:

A. Using a bucket policy with a DENY statement for the PutObject Action could work, but it would prevent all users from uploading files to the S3 bucket, not just those making configuration changes. This is too restrictive and doesn't address the specific request of the CIO to be informed of configuration changes.

B. AWS Config is a service that helps monitor and track resource inventory, configurations, and compliance with organizational policies. By creating a Config rule to monitor the configuration changes of the S3 bucket, you can detect and alert on any changes to the bucket's settings, such as access control lists or bucket policies. You can then use SNS to send notifications to the security department, which can take appropriate action. This is a better solution because it addresses the specific request of the CIO.

C. Enabling versioning for the bucket does not address the CIO's request to be informed of configuration changes. Versioning simply keeps multiple versions of an object in the same bucket.

D. The bucket policy provided allows anyone to download any object in the bucket. This policy is too permissive and does not address the CIO's request to be informed of configuration changes.

In summary, the best solution for this scenario is to use AWS Config to monitor the configuration changes of the S3 bucket and use SNS to send notifications to the security department.