Q19 — AWS DOP-C02 Ch.3

Question 19 of 100 | ← Chapter 3

A security audit found that an AWS CodeBuild project is downloading database population scripts from an Amazon S3 bucket using unauthenticated requests. The security team prohibits unauthenticated requests to the project’s S3 bucket. How can this be corrected in the most secure way?

Correct Answer: C. Use a bucket policy to remove unauthenticated access from the S3 bucket. Modify the CodeBuild project’s service role to include Amazon S3 permissions. Use the AWS CLI to download the database population script.

Explanation

The core objective is to block unauthorized access to the S3 bucket while ensuring CodeBuild accesses it securely. Per AWS security best practices, unauthenticated access must be denied via bucket policy, and CodeBuild must be granted least-privilege access via its IAM service role—using temporary credentials. Option C achieves this: bucket policy disables anonymous access, and the service role grants scoped S3 permissions. Option D uses long-term credentials, introducing credential leakage risk. Option B misapplies HTTP basic auth, incompatible with AWS authentication mechanisms. Option A’s AllowedBuckets is not a native S3 authorization mechanism.