A healthcare company stores more than 1 million patient records in an Amazon S3 bucket.

Amazon GuardDuty Exfiltration:S3/AnomalousBehavior findings indicate that S3 data access patterns are consistent with data exfiltration. In this scenario, the attacker is usingtemporary credentials obtained from an EC2 instance profile, which are issued by AWS Security Token Service (STS).

According to AWS Certified Security – Specialty documentation, thefastest and most targeted remediationis to revoke the temporary session credentials associated with the compromised instance profile. This can be accomplished by removing or modifying the IAM role permissions, detaching the instance profile, or stopping the instance, which immediately invalidates the temporary credentials and prevents further S3 access.

Option B may limit outbound traffic but does not invalidate already issued credentials. Option C is a detection and classification service and does not prevent active exfiltration. Option D would block all access to the bucket, including legitimate access, and is considered overly disruptive for incident containment.

AWS incident response best practices emphasizecredential revocation as the first containment stepwhen compromise of temporary credentials is confirmed.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – S3 Protection

AWS STS and IAM Role Security Documentation

AWS Incident Response Best Practices