ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company hosts development and production workloads in separate AWS accounts linked by AWS Organizations. Security requires that only EC2 instances tagged Environment=Prod can read objects in the central prod-data S3 bucket. Instances are launched dynamically by an Auto Scaling group. Which access-control approach best enforces this requirement without maintaining static role lists?
Grant s3:GetObject access by listing the Auto Scaling group's instance profile ARNs in the bucket policy and update the list whenever new roles are created.
Attach an IAM role tagged Environment=Prod to each instance and create an S3 bucket policy that allows s3:GetObject when the aws:PrincipalTag/Environment condition equals "Prod".
Configure a bucket ACL that grants read permission to all requests originating from the production VPC CIDR range.
Add a security group rule that permits outbound HTTPS traffic only from production instances to the prod-data bucket's public endpoint.
Attribute-based access control can use tags on principals and resources to make real-time authorization decisions. By attaching an IAM role to every EC2 instance and applying the tag Environment=Prod to that role, a bucket policy that includes a Condition element matching aws:PrincipalTag/Environment="Prod" automatically grants GetObject only to production instances. No updates are needed when the Auto Scaling group creates or terminates instances because the evaluation is based on tags, not specific role ARNs.
S3 ACLs cannot evaluate IAM tags and cannot reference VPC CIDRs for object-level permissions.
Security group rules govern network traffic, not S3 API authorization.
Listing individual role ARNs in the bucket policy is discretionary access control and requires continual maintenance, defeating the requirement to avoid static lists.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Organizations?
Open an interactive chat with Bash
How does attribute-based access control (ABAC) work in AWS?
Open an interactive chat with Bash
What is an IAM role and how is it different from an IAM user?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .