Q75 — AWS DOP-C02 Ch.1
Question 75 of 100 | ← Chapter 1
A security review finds that an AWS CodeBuild project is downloading database population scripts from an Amazon S3 bucket using unauthenticated requests. The security team prohibits unauthenticated requests to the S3 bucket used by this project.
- A. Add the bucket name to the AllowedBuckets section in the CodeBuild project settings. Update the build specification to use the AWS CLI to download the database population script.
- B. Modify the S3 bucket configuration to enable HTTPS basic authentication and specify a token. Update the build specification to use cURL to pass the token and download the database population script.
- C. Use a bucket policy to remove unauthenticated access to the S3 bucket. Modify the CodeBuild project’s service role to include Amazon S3 permissions. Use the AWS CLI to download the database population script. ✓
- D. Use a bucket policy to remove unauthenticated access to the S3 bucket. Use the AWS CLI with IAM access keys and secret access keys to download the database population script.
Correct Answer: C. Use a bucket policy to remove unauthenticated access to the S3 bucket. Modify the CodeBuild project’s service role to include Amazon S3 permissions. Use the AWS CLI to download the database population script.
Explanation
Option C is the most secure solution. Removing unauthenticated access via bucket policy enforces authorization at the resource level. Granting least-privilege S3 permissions to the CodeBuild service role via IAM ensures credentials are never exposed in code or build specs. Using the AWS CLI with role-based temporary credentials eliminates the need to manage, store, or rotate long-term IAM keys—avoiding the security risks inherent in Option D. Options A and B either rely on insecure mechanisms (unauthenticated access or basic auth tokens) or violate AWS security best practices.