Ensuring Access Control for Sensitive Documents in an S3 Bucket
Question
Your company has a set of sensitive documents in an S3 bucket.
They want to ensure that only privileged IAM users can access the contents of the bucket using their MFA devices.
How can you ensure that this sort of access is provided for the bucket? Choose 2 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answers: C and D.
The AWS Documentation mentions the following.
Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) to access your Amazon S3 resources.
Multi-factor authentication provides an extra level of security you can apply to your AWS environment.
It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code.
You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy.
IAM users can access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS)
You provide the MFA code at the time of the STS request.
Options A and B are incorrect since these are used to ensure users don't accidentally delete objects.
But here, we want to ensure that users use MFA to access the contents in the bucket.
For more information on example bucket policies, please visit the below URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.htmlThe correct answers are C and D.
C. Ensure MFA is enabled for the privileged IAM users: MFA is an additional layer of security that requires users to provide a unique code generated by their MFA device in addition to their regular username and password. By enabling MFA for the privileged IAM users, you can ensure that only authorized personnel can access the sensitive documents in the S3 bucket. IAM administrators can enable MFA for IAM users and even require MFA for specific IAM actions such as accessing the S3 bucket.
D. Ensure a bucket policy is in place to only allow access if users are MFA authenticated: By creating and applying a bucket policy, you can define who can access the contents of the bucket and under what conditions. To ensure only privileged IAM users with MFA can access the bucket, you can create a bucket policy that only allows access if the users are MFA authenticated. You can create the policy using the JSON language and attach it to the S3 bucket. The policy can include a set of conditions to determine when users are required to authenticate with MFA, such as specific time frames or locations.
A. Enable versioning on the bucket: Enabling versioning on the bucket does not provide any additional security measures for access control. Versioning only allows you to keep multiple versions of an object in the bucket, which can be useful for backup and recovery purposes.
B. Enable MFA delete on the bucket: Enabling MFA delete requires MFA authentication for deleting objects in the S3 bucket, but it does not restrict access to the contents of the bucket. It only adds an additional layer of security to prevent accidental or malicious deletion of objects in the bucket.
