AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 18

A CloudOps engineer must ensure that all of a company's current and future Amazon S3 buckets have logging enabled. If an S3 bucket does not have logging enabled, an automated process must enable logging for the S3 bucket.
Which solution will meet these requirements?

Answer options

• A. Use AWS Trusted Advisor to perform a check for S3 buckets that do not have logging enabled. Configure the check to enable logging for S3 buckets that do not have logging enabled.
• B. Configure an S3 bucket policy that requires all current and future S3 buckets to have logging enabled.
• C. Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses an AWS Lambda function to enable logging.
• D. Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses the AWS-ConfigureS3BucketLogging AWS Systems Manager Automation runbook to enable logging.

Correct answer: D

Explanation

The correct answer is D because it leverages the AWS Config managed rule specifically designed for S3 bucket logging and uses a Systems Manager Automation runbook to automate the remediation process. Option A is incorrect as AWS Trusted Advisor does not have the capability to enable logging automatically. Option B is not a valid solution since a bucket policy cannot enforce logging for future buckets. Option C, while valid in using AWS Config, does not utilize the more appropriate Systems Manager Automation runbook for enabling logging.