Q29 — AWS SAP-C02 Ch.3

Question 29 of 75 | ← Chapter 3

Q254. A company has an application that generates reports and stores them in an Amazon S3 bucket. When a user accesses their report, the application generates a signed URL to allow the user to download the report. The company's security team has discovered that the files are public and that anyone can download them without authentication The company has suspended the generation of new reports until the problem is resolved. Which set of actions will immediately remediate the security issue without impacting the application's normal workflow?

Correct Answer: D. Use the Block Public Access feature in Amazon s3 to set the IgnorePublicAcls option to TRUE on the bucket.

Explanation

Since the company has suspended the generation of new reports until the problem is resolved, it is essential to take immediate action to remediate the security issue. The Block Public Access feature can be used to prevent public access to the S3 bucket and its contents. Enabling this feature will override any existing bucket policies or object permissions that allow public access. Setting the IgnorePublicAcls option to TRUE on the bucket will block public access granted through an ACL. This solution will immediately remediate the security issue without impacting the application's normal workflow. Option A suggests creating a Lambda function that applies a deny all policy for unauthenticated users. While this approach could work, it may impact the application's normal workflow if not implemented correctly. Option B suggests reviewing the AWS Trusted Advisor bucket permissions check and implementing recommended actions, but it is unclear what those recommendations will be or whether they will address the issue. Option C suggests running a script that puts a private ACL on all objects in the bucket, which is a time-consuming process, and it may impact the application's normal workflow during the execution time. Remember that the purpose of creating a pre-signed URL is to allows unauthenticated users access to the bucket or the objects in the bucket which are private. So if someone can still access the bucket then the buckets or the objects in the bucket have been granted a public ACL which needs to be blocked and the way to do that is by using the IgnorePublicAcls setting.