AWS Certified Security – Specialty (SCS-C02) — Question 159

A security engineer is configuring AWS Config for an AWS account that uses a new IAM entity. When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur. In the AWS CloudTrail logs, the security engineer sees the following error message: “Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.”

Which combination of steps should the security engineer take to remediate this issue? (Choose two.)

Answer options

• A. Check the Amazon S3 bucket policy. Verify that the policy allows the config amazonaws,com service to write to the target bucket.
• B. Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
• C. Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
• D. Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
• E. Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

Correct answer: A, B

Explanation

The correct steps involve checking the S3 bucket policy to ensure it allows the config.amazonaws.com service to write to the bucket (Option A) and verifying that the IAM entity has permissions for the required S3 actions (Option B). Options C, D, and E do not address the specific issue of the delivery policy and required permissions that are necessary for AWS Config to function correctly in this scenario.