AWS Certified Security – Specialty (SCS-C02) — Question 122

A company has AWS accounts that are in an organization in AWS Organizations. An Amazon S3 bucket in one of the accounts is publicly accessible.

A security engineer must change the configuration so that the S3 bucket is no longer publicly accessible. The security engineer also must ensure that the S3 bucket cannot be made publicly accessible in the future.

Which solution will meet these requirements?

Answer options

• A. Configure the S3 bucket to use an AWS Key Management Service (AWS KMS) key. Encrypt all objects in the S3 bucket by creating a bucket policy that enforces encryption. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.
• B. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.
• C. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.
• D. Configure the S3 bucket to use S3 Object Lock in governance mode. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.

Correct answer: C

Explanation

The correct answer is C because enabling the PublicAccessBlock configuration helps prevent public access, and denying the s3:PutPublicAccessBlock action ensures that the bucket cannot be made publicly accessible in the future. Option A is incorrect as it focuses on encryption rather than public access settings. Option B does not prevent future configurations that could allow public access. Option D is incorrect because using S3 Object Lock does not address the public access issue directly.