AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An AWS CloudOps engineer must ensure that any Amazon S3 bucket that appears in the Trusted Advisor security check "Amazon S3 Bucket Permissions" with a status of Action recommended is immediately remediated. The remediation must remove any public read ACLs, enable Block Public Access on the bucket, and send an email notification to the security team. Which approach meets these requirements with the least operational overhead?
Enable the AWS Config managed rule s3-bucket-public-read-prohibited and configure automatic remediation with a Systems Manager Automation document that changes the ACL and sends an SNS notification.
Create an EventBridge rule that matches Trusted Advisor Check Item Change events for the S3 bucket permissions check and a status of Action recommended; set the target to a Lambda function that removes the public ACL, enables Block Public Access, and publishes a message to an SNS topic.
Configure an Amazon GuardDuty finding-based EventBridge rule that invokes a Systems Manager Run Command document to set the bucket ACL to private and email the security team.
Add an S3 ObjectCreated event notification on every bucket that triggers a Lambda function to revoke public ACLs, enable Block Public Access, and email the security team after each daily Trusted Advisor refresh.
Trusted Advisor emits an EventBridge (formerly CloudWatch Events) event whenever the result of a check item changes. By creating a rule that filters for that specific check ID and a status of "Action recommended", you can invoke a Lambda function as soon as the finding is generated. The Lambda function can call PutBucketAcl and PutPublicAccessBlock to revoke public access and then publish a message to an Amazon SNS topic that emails the security team. This solution is fully managed, event-driven, requires no polling, and addresses the problem at the moment Trusted Advisor detects it.
Using an AWS Config managed rule could remediate public buckets, but the trigger is AWS Config, not Trusted Advisor, so it does not satisfy the requirement to act specifically on Trusted Advisor findings. While GuardDuty can generate findings for S3 policy or ACL changes (e.g., Policy:S3/BucketPublicAccessGranted), its primary purpose is threat detection, and it does not trigger based on Trusted Advisor check results. Using S3 ObjectCreated events would not guarantee that all existing objects and ACLs are covered or that the action is tied to the Trusted Advisor result.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Trusted Advisor?
Open an interactive chat with Bash
What is AWS EventBridge, and how does it work with Trusted Advisor?
Open an interactive chat with Bash
How does the Lambda function remediate the S3 bucket permissions issue?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .