AWS Certified Security – Specialty — Question 460

A security engineer is configuring AWS Config for an AWS account that uses a new 1AM entity. When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur. In the AWS CloudTrail logs, the security engineer sees the following error message: "Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is 'null'."

Which combination of steps should the security engineer take to remediate this issue? (Choose two.)

Answer options

• A. Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
• B. Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
• C. Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
• D. Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
• E. Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

Correct answer: A, B

Explanation

To resolve the 'Insufficient delivery policy' error, AWS Config must be granted explicit permission to write to the destination S3 bucket. This requires the S3 bucket policy to allow the AWS Config service principal (config.amazonaws.com) to perform write operations, and the IAM entity (the AWS Config role) must possess the necessary IAM permissions (s3:GetBucketAcl and s3:PutObject*) to interact with the target bucket.