Q20 — AWS SCS-C02 Ch.1

Question 20 of 100 | ← Chapter 1

>A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has congured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: "AccessDenied: Access Denied status code: 403".  The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.  Which combination of steps will meet these requirements? (Choose two.)

Correct Answer: B. Ensure that the following policies are attached to the instance prole for the EC2 instance: EC2InstanceProleForImageBuilder, EC2InstanceProleForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore., E. Ensure that the instance prole for the EC2 instance has the s3:PutObject permission for the S3 bucket.

Explanation

题目涉及Amazon EC2 Image Builder服务在构建镜像时因权限不足导致的失败问题。错误类型为S3访问拒绝,需遵循最小权限原则修复。根据AWS文档,Image Builder构建镜像的EC2实例需要关联包含必要权限的实例角色。选项B中的策略组合EC2InstanceProfileForImageBuilder、EC2InstanceProfileForImageBuilderECRContainerBuilds和AmazonSSMManagedInstanceCore为官方推荐的实例配置文件策略,确保基础服务访问。选项E明确指出实例角色需具备s3:PutObject权限,直接解决日志上传S3的权限问题。其余选项或针对用户角色而非实例角色,或授予过大权限,不符合最小权限要求。