Q81 — AWS SCS-C02 Ch.1

Question 81 of 100 | ← Chapter 1

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other critical operations, the security engineer cannot immediately shut down the EC2 instance for vulnerability patching. What is the FASTEST way to prevent the sensitive data from being exposed?

Correct Answer: C. Revoke the IAM role's active session permissions. Update the S3 bucket policy to deny access to the IAM role. Remove the IAM role from the EC2 instance profile.

Explanation

为防止敏感数据泄露,在无法立即关闭 EC2 实例时,最快方法是撤销 IAM 角色的当前会话权限,更新 S3 存储桶策略拒绝该角色访问,并从 EC2 实例配置文件移除 IAM 角色,可立即切断访问。其他选项相对耗时。