What should the security engineer do to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company’s security engineer receives an alert that indicates that an unexpected principal is accessing a company-owned Amazon Simple Queue Service (Amazon SQS) queue.All the company’s accounts are within an organization in AWS Organizations.The security engineer must implement a mitigation solution that minimizes compliance violations and investment in tools that are outside of AWS.

What should the security engineer do to meet these requirements?

Create security groups that only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the security groups to all the SQS queues in all the VPCs in the organization.

In all the VPCs in the organization, adjust the network ACLs to only accept inbound traffic from the CIDR blocks of all the VPCs in the organization. Attach the network ACLs to all the subnets in all the VPCs in the organization.

Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

Use a cloud access security broker (CASB) to maintain a list of managed resources. Configure the CASB to check the API and console access against that list on a web proxy.

Explanations:

Security groups control inbound and outbound traffic for resources within a VPC but do not directly apply to SQS queues, which are globally accessible services. Additionally, security groups cannot restrict access based on AWS accounts or principals.

Network ACLs manage traffic at the subnet level but cannot restrict access to SQS queues based on AWS Organizations. SQS is a global service and does not use VPC-level networking for access control, making this option ineffective for limiting access to specific AWS accounts.

Creating interface VPC endpoints for SQS allows for traffic to be routed securely through the VPC. By setting theaws:SourceVpcecondition in the SQS policy, the engineer can restrict access to only those requests originating from specific VPC endpoints, and theaws:PrincipalOrgIdcondition ensures that only principals within the organization can access the queue, thus minimizing compliance violations.

A cloud access security broker (CASB) is an external tool that typically requires additional investment and does not natively integrate with AWS services like SQS for access control. This option does not align with the requirement to minimize compliance violations and reliance on external tools.

2025-10-01

1 Comment

  1. Ethan
    Author

    I deduce that the answer is:
    Create interface VPC endpoints for Amazon SQS in all the VPCs in the organization. Set the aws:SourceVpce condition to the VPC endpoint identifier on the SQS policy. Add the aws:PrincipalOrgId condition to the VPC endpoint policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

five − 3 =