AWS Certified Security – Specialty — Question 83

A company has several production AWS accounts and a central security AWS account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents.
A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and confirm that any policy change is in accordance with the bucket's data classification. If any change is out of compliance, the Security team must be notified quickly.
Which combination of actions would build the required solution? (Choose three.)

Answer options

• A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus.
• B. Enable Amazon GuardDuty in the security account, and join the production accounts as members.
• C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events.
• D. Enable AWS Trusted Advisor and activate email notifications for an email address assigned to the security contact.
• E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team.
• F. Configure event notifications on S3 buckets for PUT, POST, and DELETE events.

Correct answer: A, C, E

Explanation

The correct actions involve configuring Amazon CloudWatch Events to monitor S3 events in the production accounts (A), setting up a rule to capture these events in the security account (C), and using AWS Lambda to analyze compliance and notify the Security team (E). Options B and D do not directly contribute to monitoring bucket policy compliance, while F focuses on specific S3 event notifications rather than overall compliance enforcement.