An IS auditor reviews the exhibit from a cloud access policy. Which of the following is a potential security concern?
Without requiring HTTPS (aws:SecureTransport), data can be transmitted in plaintext.
Why this answer
Option A is correct because the cloud access policy does not specify encryption in transit (e.g., HTTPS, TLS), leaving data vulnerable to interception over the network. Without a condition like `aws:SecureTransport` set to `true`, the policy allows HTTP requests, exposing sensitive data to man-in-the-middle attacks. This is a fundamental security gap in cloud access policies.
Exam trap
The trap here is that candidates often overlook the absence of encryption in transit as a critical security control, focusing instead on IP ranges or object-level access, which are less risky when properly configured.
How to eliminate wrong answers
Option B is wrong because granting access to all objects in a bucket is not inherently a security concern if the policy is properly scoped with least privilege and combined with other controls like authentication and encryption. Option C is wrong because allowing access from any IP in the 10.0.0.0/8 range is a private IP range (RFC 1918) and is not directly routable from the internet, so it does not represent a security concern by itself; it is a common practice for internal network access. Option D is wrong because the condition using a private IP range is actually a security best practice—it restricts access to internal networks, which are not directly reachable from the internet, reducing exposure.