• WeiD
  • New member
  • Offline

Topic: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

An application that is hosted on an Amazon EC2 instance needs access to files that are stored in an Amazon S3 bucket. The application lists the objects that are stored in the S3 bucket and displays a table to the user. During testing, a developer discovers that the application does not show any objects in the list.
What is the MOST secure way to resolve this issue?

A.
Update the IAM instance profile that is attached to the EC2 instance to include the S3:* permission for the S3 bucket.
B.
Update the IAM instance profile that is attached to the EC2 instance to include the S3:ListBucket permission for the S3 bucket.
C.
Update the developer's user permissions to include the S3:ListBucket permission for the S3 bucket.
D.
Update the S3 bucket policy by including the S3:ListBucket permission and by setting the Principal element to specify the account number of the EC2 instance.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

The correct answer is B.
https://repost.aws/knowledge-center/ec2-instance-access-s3-bucket
Option A also works, but it is not compliant to the AWS security practice of the least privilege permissions.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

Option B only allows you to list the bucket - you will still not see the objects if only s3:ListBucket permission is configured.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

Option A allows you to list buckets AND objects.  Option B only allows you to list the bucket - you will still not see the objects if only s3:ListBucket permission is configured.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

Not true:
https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
To use this action in an AWS Identity and Access Management (IAM) policy, you must have permission to perform the s3:ListBucket action.

  • ec8or
  • New member
  • Offline

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

Answer is A: The questions is not stating the the list of buckets cannot seen but the objects within the lists cannot be seen. Seems the dev already has the  s3:ListBucket option its the objects part that is missing.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

B is correct, Question is asking for lists the objects that are stored in the S3 bucket. s3:ListBucket gives bucket level objects list.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

The correct answer is B.
Option A works as well but only listing the files is mentioned as requirement.

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

It is B, but I had to dig into docs to learn that to use ListObjectsV2, in an AWS Identity and Access Management (IAM) policy, you must have permission to perform the s3:ListBucket action.

https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

Can someone email me a pdf of the questions (DVA-C02 & DVA-C01) at [email protected]

Thanks in advance!

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

are there anyone who can explain D ? - S3 bucket policy

  • nmc12
  • New member
  • Offline

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

Option D is not the most secure choice, as utilizing bucket policies and specifying account numbers can potentially lead to overly complex and less secure configurations, especially if not managed carefully.

To implement option B, follow these and it most secure!!!
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::your-bucket-name"
    }
  ]
}

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

A violated least privilege principle so B

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

the s3:ListBucket permission allows the user to use the Amazon S3 GET Bucket (List Objects) operation.
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

the s3:ListBucket permission allows the user to use the Amazon S3 GET Bucket (List Objects) operation.
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html

Re: AWS Certified Developer - Associate DVA-C02 topic 1 question 38

It is B