AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company operates more than 400 AWS member accounts that are centrally managed with AWS Organizations. The security team needs to be alerted whenever any Amazon S3 bucket in a member account receives a resource-based policy that makes the bucket publicly readable or grants read access to principals outside the organization. Notifications must arrive within 1 hour of the policy change and be delivered to an existing Amazon SNS topic in the security-tooling account. The team also wants a single console where they can review all historical findings. The solution must introduce the least ongoing operational overhead.
Which combination of actions will meet these requirements?
In every member account, enable the AWS Config managed rule s3-bucket-public-read-prohibited, aggregate the rule results to a central aggregator in the security-tooling account, and configure an EventBridge rule that forwards NON_COMPLIANT events to the SNS topic.
Enable Amazon GuardDuty S3 protection for the organization and configure GuardDuty findings to be forwarded through AWS Security Hub to the SNS topic.
Register the security-tooling account as the delegated administrator for IAM Access Analyzer, create an organization-level external-access analyzer there, and add an Amazon EventBridge rule that sends new aws.access-analyzer finding events to the existing SNS topic.
Enable Amazon Macie organization-wide from the management account and create EventBridge rules in the security-tooling account that forward Macie Policy:IAMUser/S3BucketPublic findings to the SNS topic.
Registering the security-tooling account as the delegated administrator allows IAM Access Analyzer to be managed centrally for the entire organization. Creating an organization-level external-access analyzer in that account continuously scans all resource-based policies in every member account and produces findings whenever a bucket is made public or shared with an external AWS principal. IAM Access Analyzer automatically publishes a finding event to Amazon EventBridge in less than an hour, so an EventBridge rule that matches the aws.access-analyzer source and targets the existing SNS topic delivers the required near-real-time alert. The Access Analyzer console in the delegated administrator account provides the single place to review current and historical findings.
The other options either require per-account configuration (AWS Config), rely on services that do not specifically detect cross-account bucket policies in near-real time (Amazon Macie, Amazon GuardDuty), or involve additional operational overhead that the requirement seeks to avoid.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM Access Analyzer and how does it work?
Open an interactive chat with Bash
How does Amazon EventBridge work with Access Analyzer in this solution?
Open an interactive chat with Bash
Why doesn't this solution use AWS Config or Amazon Macie instead?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access