Pre-Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

  1. Home
  2. Discussions
  3. Amazon Web Services
  4. AWS Certified Specialty
  5. SCS-C03 Discussions
  6. SCS-C03 Exam Topic 4 Question 35 Discussion

Amazon Web Services AWS Certified Security – Specialty SCS-C03 Question # 35 Topic 4 Discussion

 Amazon Web Services Discussions      Browse All Questions      Go to Exam Detail      Get Premium Access
Next  

Amazon Web Services AWS Certified Security – Specialty SCS-C03 Question # 35 Topic 4 Discussion

SCS-C03 Exam Topic 4 Question 35 Discussion:
Question #: 35
Topic #: 4

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances in an Auto Scaling group. The EC2 instances are deployed in a private subnet that does not have internet access.

The EC2 instances access Amazon S3 through an S3 gateway endpoint that has the default access policy. Each EC2 instance uses an instance profile role that allows s3:GetObject and s3:PutObject only for required S3 buckets.

The company learns that one or more EC2 instances are compromised and are exfiltrating data to an S3 bucket that isoutside the company’s AWS Organization. The processing job must continue to function.

Which solution will meet these requirements?
A.

Update the policy on the S3 gateway endpoint to allow S3 actions only if aws:ResourceOrgId and aws:PrincipalOrgId match the company’s organization.

B.

Update the instance profile role policy to require aws:ResourceOrgId.

C.

Add a network ACL rule to block outbound traffic on port 443.

D.

Apply an SCP that restricts S3 actions using organization condition keys.

Get Premium SCS-C03 Questions
Actual exam question for Amazon Web Services SCS-C03 exam by Phoenix8895 at Feb 4, 2026, 6:05:21 AM

Contribute your Thoughts:


Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Submit
Next