Which of the following options will mitigate the threat?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1).The threat was documented as follows:Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket within their control.Server X has outbound internet access configured via a proxy server.Legitimate access to S3 is required so that the application can upload encrypted files to anS3 bucket.Server X is currently using an IAM instance role.The proxy server is not able to inspect any of the server communication due to TLS encryption.

Which of the following options will mitigate the threat?

(Choose two.)

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Block outbound access to public S3 endpoints on the proxy server.

Configure Network ACLs on Server X to deny access to S3 endpoints.

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server.

Remove the IAM instance role from the application server and save API access keys in a trusted and encrypted application config file.

Explanations:

Using an S3 VPC endpoint will ensure that traffic to S3 does not go through the public internet, thus mitigating the risk of data exfiltration. By whitelisting only certain S3 buckets, it limits the exposure of sensitive data, ensuring that only authorized buckets are accessible from Server X.

Blocking outbound access to public S3 endpoints on the proxy server will prevent any unauthorized uploads to S3 buckets controlled by Account 2. This action mitigates the risk of sensitive data being exfiltrated through S3 since the malicious actor would be unable to send data to their S3 bucket.

Configuring Network ACLs on Server X to deny access to S3 endpoints would block all access to S3, including legitimate uploads. This would disrupt necessary functionality of the application, as it needs to upload encrypted files to a specific S3 bucket, making it an impractical solution.

Modifying the S3 bucket policy to allow access only from the public IP addresses of the application server could work; however, if the application server is compromised, the attacker may still exploit this access. It does not sufficiently prevent unauthorized access by a malicious actor who might have gained control over Server X.

Removing the IAM instance role and using API access keys stored in a configuration file poses a greater risk. If the configuration file is compromised, the keys could be exposed, and managing the rotation of these keys can lead to security gaps. The IAM role is a more secure way to manage permissions dynamically.

2025-10-01

1 Comment

  1. Sophia
    Author

    I plot that the answer is:
    Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Leave a Reply

Your email address will not be published. Required fields are marked *

six − one =