AWS Certified Security – Specialty — Question 219

Unapproved changes were previously made to a company's Amazon S3 bucket. A security engineer configured AWS Config to record configuration changes made to the company's S3 buckets. The engineer discovers there are S3 configuration changes being made, but no Amazon SNS notifications are being sent. The engineer has already checked the configuration of the SNS topic and has confirmed the configuration is valid.
Which combination of steps should the security engineer take to resolve the issue? (Choose two.)

Answer options

• A. Configure the S3 bucket ACLs to allow AWS Config to record changes to the buckets.
• B. Configure policies attached to S3 buckets to allow AWS Config to record changes to the buckets.
• C. Attach the AmazonS3ReadOnlyAccess managed policy to IAM User.
• D. Verify the security engineer's IAM user has an attached policy that allows all AWS Config actions.
• E. Assign the AWSConfigRole managed policy to the AWS Config role.

Correct answer: B, E

Explanation

The correct answer includes B and E because configuring policies attached to S3 buckets ensures that AWS Config has the necessary permissions to record changes, while assigning the AWSConfigRole managed policy to the AWS Config role gives it the required permissions to access the resources. The other options either do not address the permissions needed for AWS Config or are not relevant to the issue at hand.