An organization is undergoing a security audit. The auditor wants to view the AWS VPC
configurations as the organization has hosted all the applications in the AWS VPC. The auditor is
from a remote place and wants to have access to AWS to view all the VPC records.
How can the organization meet the expectations of the auditor without compromising on the
security of their AWS infrastructure?
A.
The organization should not accept the request as sharing the credentials means compromising
on security.
B.
Create an IAM role which will have read only access to all EC2 services including VPC and
assign that role to the auditor .
C.
Create an IAM user who will have read only access to the AWS VPC and share those credentials
with the auditor.
D.
The organization should create an IAM user with VPC full access but set a condition that will not
allow to modify anything if the request is from any IP other than the organization’s data center.
Explanation:
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user
can create subnets as per the requirement within a VPC. The VPC also works with IAM and the
organization can create IAM users who have access to various VPC services. If an auditor wants
to have access to the AWS VPC to verify the rules, the organization should be careful before
sharing any data which can allow making updates to the AWS infrastructure. In this scenario it is
recommended that the organization creates an IAM user who will have read only access to the
VPC. Share the above mentioned credentials with the auditor as it cannot harm the organization.
The sample policy is given below:
{
“Effect”:”Allow”,
“Action”:[
“ec2:DescribeVpcs”,
“ec2:DescribeSubnets”,
“ec2:DescribeInternetGateways”,
“ec2:DescribeCustomerGateways”,
“ec2:DescribeVpnGateways”,
“ec2:DescribeVpnConnections”,
“ec2:DescribeRouteTables”,
“ec2:DescribeAddresses”,
“ec2:DescribeSecurityGroups”,
“ec2:DescribeNetworkAcls”,
“ec2:DescribeDhcpOptions”,
“ec2:DescribeTags”,
“ec2:DescribeInstances”
],
“Resource”:”*”
}
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
Isn’t it more secure to create a role and assign it to the auditor?
According to Amazon:
“… you might want to grant access to your account to third parties so that they can perform an audit on your resources.
For these scenarios, you can delegate access to AWS resources using an IAM role.”
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
0
0
how would they be able to login than? I believe the answer is correct.
0
0