Which combination of steps should the security engineer take to gather this information?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company has a legacy application that runs on a single Amazon EC2 instance.A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account.This access key pair has the s3:GetObject permission to all objects in only this S3 bucket.The company takes the application offline because the application is not compliant with the company’s security policies for accessing other AWS resources from Amazon EC2.A security engineer validates that AWS CloudTrail is turned on in all AWS Regions.CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2.This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1.However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days.If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).

Which combination of steps should the security engineer take to gather this information?

(Choose two.)

Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.

Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.

Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.

Explanations:

Configuring Amazon Macie can help identify sensitive data, such as personally identifiable information (PII), in the objects stored in DOC-EXAMPLE-BUCKET1. Macie analyzes S3 objects and provides insights into their content, which is necessary for determining if any text files contain PII.

Amazon CloudWatch Logs Insights is designed for querying log data but does not directly provide access to S3 bucket content or identify PII within files. It cannot be used to analyze the contents of the objects in DOC-EXAMPLE-BUCKET1.

Amazon OpenSearch Service (formerly Amazon Elasticsearch Service) would require specific integration to index CloudTrail logs. However, it does not natively analyze the contents of objects in S3 or determine if those objects contain PII. It could help search for access logs but not the actual content of S3 objects.

Amazon Athena can be used to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that utilized the IAM access key to access objects in DOC-EXAMPLE-BUCKET1. This approach allows the engineer to determine which objects were accessed and correlate that with any identification of PII in those objects.

AWS IAM Access Analyzer is primarily focused on analyzing permissions and access policies. It does not provide direct insights into specific API calls or the contents of S3 objects, such as identifying which ones contain PII. It does not perform content analysis on the objects in S3.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + 5 =