Question #803
A company uses an Amazon S3 bucket to store confidential documents. Users access these documents via pre-signed URLs generated by the application. A security audit reveals that the documents are accessible without authentication. The company needs to resolve this immediately without affecting legitimate user access. Which action ensures documents are only accessible via pre-signed URLs while blocking public access?
Apply a bucket policy that denies all access except from the application's IAM role.
Enable S3 Block Public Access and set 'Block public access to buckets and objects granted through any access control lists (ACLs)' to true.
Modify all objects to have a private ACL using a batch operation.
Use AWS Config to detect and remediate public objects automatically.
Explanation
The correct answer is B because enabling S3 Block Public Access (specifically the 'Block public access via ACLs' setting) ensures that all public access to the bucket and objects is blocked, regardless of ACLs or policies. Pre-signed URLs work by granting temporary access via IAM credentials, which are unaffected by Block Public Access settings. This resolves the security issue immediately without disrupting legitimate access.
Why other options are incorrect:
- A: A bucket policy denying all except the application's IAM role might work, but it does not address public access via ACLs directly. Misconfigured ACLs could still allow unintended access if Block Public Access is not enabled.
- C: Modifying object ACLs to private is reactive and time-consuming. It does not prevent future misconfigurations or public ACLs on new objects.
- D: AWS Config is a monitoring tool and does not provide immediate remediation. It introduces delays in addressing the issue.
Key Points:
- Pre-signed URLs rely on IAM permissions, not public access settings.
- S3 Block Public Access overrides ACLs and policies to enforce no public access.
- Block Public Access is AWS's recommended best practice for securing S3 buckets.
Answer
The correct answer is: B