AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 127

A company uses Amazon S3 to store proprietary information. The development team creates buckets for new projects on a daily basis. The security team wants to ensure that all existing and future buckets have encryption, logging, and versioning enabled. Additionally, no buckets should ever be publicly read or write accessible.

What should a DevOps engineer do to meet these requirements?

Answer options

• A. Enable AWS CloudTrail and configure automatic remediation using AWS Lambda.
• B. Enable AWS Config rules and configure automatic remediation using AWS Systems Manager documents.
• C. Enable AWS Trusted Advisor and configure automatic remediation using Amazon EventBridge.
• D. Enable AWS Systems Manager and configure automatic remediation using Systems Manager documents.

Correct answer: B

Explanation

The correct answer is B because AWS Config can continuously monitor S3 bucket configurations and ensure compliance with the defined rules, allowing for automatic remediation using AWS Systems Manager. Option A is incorrect as AWS CloudTrail is primarily for logging API calls, not enforcing configuration compliance. Options C and D do not specifically address the requirement for monitoring and enforcing bucket configurations effectively.