A financial services company has a hybrid cloud environment with on-premises servers and a public cloud provider. The security team recently discovered that an attacker exfiltrated sensitive customer data from a cloud storage bucket. The investigation reveals that the bucket was configured with a bucket policy that allowed anonymous read access. The security architect must redesign the architecture to prevent such incidents. The company uses AWS for cloud services. The architect proposes the following: (1) Enable AWS CloudTrail and Amazon GuardDuty for monitoring. (2) Implement AWS Identity and Access Management (IAM) roles for applications instead of long-term access keys. (3) Use AWS Key Management Service (KMS) to encrypt data at rest. (4) Configure a VPC with a NAT gateway and private subnets for all compute resources. (5) Implement S3 bucket policies that deny all access unless explicitly allowed by a specific IAM role. During a review, the chief information security officer (CISO) points out that one of these measures does not directly address the root cause of the incident. Which measure is least effective in preventing unauthorized access to S3 buckets?
Monitoring detects but does not prevent misconfigurations.
Why this answer
Option C (enabling AWS CloudTrail and Amazon GuardDuty) is a detective control, not a preventive one. The root cause of the incident was a misconfigured bucket policy that allowed anonymous read access. Monitoring tools can detect unauthorized access after it occurs but cannot prevent it.
The other options directly address the root cause by enforcing least privilege, encrypting data, or restricting network access.
Exam trap
The trap here is confusing detective controls (monitoring) with preventive controls (access policies, encryption, network segmentation), leading candidates to think that enabling logging and threat detection directly prevents the root cause of a misconfigured bucket policy.
How to eliminate wrong answers
Option A is wrong because encrypting data at rest with AWS KMS does not prevent unauthorized access; it only protects data confidentiality if access is gained, but the root cause is a permissive bucket policy that allows anonymous read access. Option B is wrong because configuring a VPC with private subnets and a NAT gateway does not affect S3 bucket policies; S3 is a global service and bucket policies are evaluated independently of network architecture. Option D is wrong because implementing IAM roles instead of long-term access keys addresses credential management but does not prevent anonymous access granted by a bucket policy; the incident occurred because the bucket policy allowed anonymous read, not because of compromised keys.