Question #887
Which action is a security best practice for applications requiring access to sensitive data stored in an Amazon S3 bucket?
Enable S3 Block Public Access on the bucket.
Use IAM instance profiles for EC2 instances needing access.
Configure Amazon CloudFront to serve the S3 bucket content.
Enable AWS Config to monitor S3 bucket access.
Explanation
Answer B is correct because IAM instance profiles allow EC2 instances to securely access S3 buckets using temporary credentials via IAM roles. This avoids storing long-term access keys, reduces exposure risks, and adheres to the principle of least privilege.
Why other options are incorrect:
- A: Enabling S3 Block Public Access prevents accidental public exposure but doesn't address secure application access.
- C: CloudFront optimizes content delivery but isn't directly related to securing application-level access to sensitive data.
- D: AWS Config monitors access but doesn't enforce secure access methods.
Key Points:
- Use IAM roles (instance profiles) for EC2-to-S3 access.
- Temporary credentials enhance security by auto-rotation.
- Avoid hardcoding credentials; leverage IAM's dynamic permissions.
Answer
The correct answer is: B