AWS Certified Solutions Architect – Associate (SAA-C02) — Question 478

An image-hosting company stores its objects in Amazon S3 buckets. The company wants to avoid accidental exposure of the objects in the S3 buckets to the public. All S3 objects in the entire AWS account need to remain private.
Which solution will meet these requirements?

Answer options

• A. Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses an AWS Lambda function to remediate any change that makes the objects public.
• B. Use AWS Trusted Advisor to find publicly accessible S3 buckets. Configure email notifications in Trusted Advisor when a change is detected. Manually change the S3 bucket policy if it allows public access.
• C. Use AWS Resource Access Manager to find publicly accessible S3 buckets. Use Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function when a change is detected. Deploy a Lambda function that programmatically remediates the change.
• D. Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.

Correct answer: D

Explanation

Enabling S3 Block Public Access at the account level is the most secure and direct way to ensure all S3 buckets and objects within the account remain private. Applying a Service Control Policy (SCP) via AWS Organizations prevents unauthorized IAM users or administrators from disabling this setting, enforcing a strong preventative guardrail. Other options rely on detective and reactive mechanisms rather than preventing the public exposure in the first place, and AWS Resource Access Manager is not used for scanning public S3 buckets.