ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An AWS security engineer must grant an Amazon ECS task the minimum rights needed to read messages from a single SQS queue and upload objects only to the reports/ prefix of a specific S3 bucket. According to least-privilege authorization principles and to reduce future maintenance overhead, which approach best satisfies the requirement?
Add the task execution role to an IAM group that already holds permissions for all company S3 buckets and SQS queues.
Create a custom inline IAM policy that specifies only the required SQS and S3 actions on the exact queue ARN and reports/ prefix, then attach it to the ECS task execution role.
Configure an S3 bucket policy granting the task execution role full access to the bucket and rely on default permissions to allow SQS access.
Attach the AmazonSQSFullAccess and AmazonS3FullAccess AWS managed policies directly to the ECS task execution role.
The most precise way to follow least-privilege is to define an inline or customer-managed IAM policy that lists only the required actions (for example, sqs:ReceiveMessage, sqs:DeleteMessage, and s3:PutObject) and scopes those actions to the exact SQS queue ARN and the reports/ prefix in the target bucket ARN. Attaching that policy directly to the ECS task execution role enforces narrowly scoped resource access and avoids giving the role superfluous permissions. AWS managed policies such as AmazonSQSFullAccess and AmazonS3FullAccess grant far broader access than needed. Adding the role to an existing group with broad permissions or granting full bucket access through a bucket policy both violate least-privilege and complicate future permission reviews.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an inline IAM policy in AWS and how does it differ from managed policies?
Open an interactive chat with Bash
What is the principle of least-privilege in AWS systems and why is it important?
Open an interactive chat with Bash
Why shouldn't AWS managed policies like AmazonSQSFullAccess or AmazonS3FullAccess be used for least-privilege tasks?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .