Q19 — AWS DOP-C02 Ch.3
Question 19 of 100 | ← Chapter 3
A security audit found that an AWS CodeBuild project is downloading database population scripts from an Amazon S3 bucket using unauthenticated requests. The security team prohibits unauthenticated requests to the project’s S3 bucket. How can this be corrected in the most secure way?
- A. Add the bucket name to the AllowedBuckets section in the CodeBuild project settings. Update the buildspec to download the database population script using the AWS CLI.
- B. Modify the S3 bucket configuration to enable HTTPS basic authentication and specify a token. Update the buildspec to use cURL to pass the token and download the database population script.
- C. Use a bucket policy to remove unauthenticated access from the S3 bucket. Modify the CodeBuild project’s service role to include Amazon S3 permissions. Use the AWS CLI to download the database population script. ✓
- D. Use a bucket policy to remove unauthenticated access from the S3 bucket. Use the AWS CLI with IAM access keys and secret access keys to download the database population script.
Correct Answer: C. Use a bucket policy to remove unauthenticated access from the S3 bucket. Modify the CodeBuild project’s service role to include Amazon S3 permissions. Use the AWS CLI to download the database population script.
Explanation
The core objective is to block unauthorized access to the S3 bucket while ensuring CodeBuild accesses it securely. Per AWS security best practices, unauthenticated access must be denied via bucket policy, and CodeBuild must be granted least-privilege access via its IAM service role—using temporary credentials. Option C achieves this: bucket policy disables anonymous access, and the service role grants scoped S3 permissions. Option D uses long-term credentials, introducing credential leakage risk. Option B misapplies HTTP basic auth, incompatible with AWS authentication mechanisms. Option A’s AllowedBuckets is not a native S3 authorization mechanism.