AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company must comply with a security mandate that forbids public read or write access to any Amazon S3 bucket. The operations team wants a fully managed, code-free solution that will 1) detect every time a bucket becomes publicly accessible and 2) immediately remove that public access. Which approach meets these requirements with the LEAST operational overhead?
Create the AWS Config managed rules S3_BUCKET_PUBLIC_READ_PROHIBITED and S3_BUCKET_PUBLIC_WRITE_PROHIBITED, associate each rule with the Systems Manager Automation runbook AWS-DisableS3BucketPublicReadWrite, and enable automatic remediation for the rules.
Enable Amazon Macie inventory monitoring on all buckets and configure Macie to automatically enable S3 Block Public Access whenever it generates a policy finding for a public bucket.
Enable AWS CloudTrail and configure an Amazon EventBridge rule to invoke a Lambda function whenever PutBucketAcl or PutBucketPolicy is called; have the function apply S3 Block Public Access settings to the affected bucket.
Add the AWS Config managed rule S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED, set it to run periodic evaluations only, and configure it to publish an Amazon SNS notification so engineers can manually run the AWS-DisableS3BucketPublicReadWrite runbook when a bucket is NON_COMPLIANT.
AWS Config can continuously evaluate S3 bucket ACLs, bucket policies, and Block Public Access settings by using its managed rules. Associating those rules with the AWS-provided Systems Manager Automation runbook that blocks public access gives Config the ability to remediate the resource the moment it is flagged as NON_COMPLIANT. Enabling automatic remediation on the rule means no human intervention or custom code is required. The CloudTrail/Lambda option works but requires you to build and maintain a Lambda function. Macie generates findings but has no native feature to change S3 settings automatically. A periodic-only Config rule that triggers an SNS notification still leaves a manual step and therefore does not enforce the mandate immediately.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Config and how does it enforce compliance?
Open an interactive chat with Bash
What is the purpose of the AWS Systems Manager Automation runbook `AWS-DisableS3BucketPublicReadWrite`?
Open an interactive chat with Bash
What is the difference between using AWS Config and Amazon Macie for S3 bucket monitoring?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access