What is the MOST secure way to resolve this issue?

By:
On:
In: DVA-C01
Tagged:
With: 0 Comments
An application that is hosted on an Amazon EC2 instance needs access to files that are stored in an Amazon S3 bucket.The application lists the objects that are stored in the S3 bucket and displays a table to the user.During testing, a developer discovers that the application does not show any objects in the list.

What is the MOST secure way to resolve this issue?

Update the IAM instance profile that is attached to the EC2 instance to include the S3:’ permission for the S3 bucket.

Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket.

Update the developer’s user permissions to include the S3:ListBucket permission for the S3 bucket.

Update the S3 bucket policy by including the S3:ListBucket permission and by setting the Principal element to specify the account number of the EC2 instance.

Explanations:

Granting fullS3:*permissions is overly permissive and does not follow the principle of least privilege, which may expose the bucket to unintended actions beyond listing objects.

AddingS3:ListBucketpermission to the IAM instance profile enables the EC2 instance to list objects in the specified S3 bucket securely, adhering to least privilege access control.

Modifying the developer’s user permissions will not grant the EC2 instance access to the S3 bucket, as permissions must be set for the instance profile attached to the instance itself.

AddingS3:ListBucketto the bucket policy with the EC2 account number as the principal is overly complex and unnecessary, as IAM roles are preferable for instance access management.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 3 =