Question 32
Domain 5: Data ProtectionA company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account. The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy. Each EC2 instance is associated with an instance profile role that has a policy that explicitly allows the `s3:GetObject` action and the `s3:PutObject` action for only the required S3 buckets. The company learns that one or more of the EC2 instances are compromised and are exfiltrating data to an S3 bucket that is outside the company's organization in AWS Organizations. A security engineer must implement a solution to stop this exfiltration of data and to keep the EC2 processing job functional. Which solution will meet these requirements?
Correct answer: D
Explanation
An SCP can restrict account-wide access while still allowing the EC2 role to use S3 for the required job. Using the condition keys `aws:ResourceOrgID` and `aws:PrincipalOrgID` limits S3 actions so they are allowed only when both the principal and the bucket are in the company’s AWS Organizations values, which blocks exfiltration to external buckets.
Why each option is right or wrong
A. Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the `aws:ResourceOrgID` and `aws:PrincipalOrgID` condition keys match the company's values.
Gateway endpoint policies filter traffic through that endpoint, but this choice does not provide the needed account-wide guardrail.
B. Update the policy on the instance profile role to allow the S3 actions only if the value of the `aws:ResourceOrgID` condition key matches the company's value.
Role policy limits only that instance profile and can be bypassed by other allowed account permissions or compromised usage patterns.
C. Add a network ACL rule to the subnet of the EC2 instances to block outgoing connections on port 443.
Blocking port 443 would also break legitimate S3 access because S3 requests generally use HTTPS.
D. Apply an SCP on the AWS account to allow the S3 actions only if the values of the `aws:ResourceOrgID` and `aws:PrincipalOrgID` condition keys match the company's values.
SCPs are evaluated as an organization-level guardrail and can deny S3 API calls even when the instance profile policy allows `s3:GetObject` and `s3:PutObject`; the effective permission must pass both the IAM policy and the SCP. Using `aws:PrincipalOrgID` and `aws:ResourceOrgID` in the SCP ties the allowed S3 access to principals and buckets that belong to the company’s AWS Organizations ID, so a compromised EC2 role cannot write to an external bucket outside the organization while still retaining access to the in-org buckets needed by the job.