Question #595
An application running on an Amazon EC2 instance needs to verify the existence of specific files stored in an Amazon S3 bucket. The application checks the bucket for the required objects but consistently fails to detect them. During troubleshooting, it is determined that the application has no visibility into the bucket's contents.
What is the MOST secure way to resolve this issue?
Modify the IAM instance profile associated with the EC2 instance to grant the S3:* permission for the S3 bucket.
Modify the IAM instance profile associated with the EC2 instance to grant the S3:ListBucket permission for the S3 bucket.
Update the developer's IAM user policy to include the S3:ListBucket permission for the S3 bucket.
Modify the S3 bucket policy to include the S3:ListBucket permission, specifying the EC2 instance's account number in the Principal element.
Explanation
Answer B is correct because:
1. Least Privilege: Granting only S3:ListBucket (instead of S3:* in A) follows security best practices.
2. IAM Instance Profile: The EC2 application uses the instance profile for permissions, not the developer's IAM user (C) or bucket policy (D).
3. Security: Modifying the instance profile (B) is more precise than a bucket policy (D), which could allow broader access if misconfigured.
Why others are incorrect:
- A: S3:* is overly permissive.
- C: Developer's policy doesn't affect EC2 permissions.
- D: Bucket policies are better for cross-account access; instance profiles are preferred for same-account resources.
Answer
The correct answer is: B