AWS Certified Solutions Architect – Professional — Question 295

A company has an application that generates reports and stores them in an Amazon bucket Amazon S3 bucket. When a user accesses their report, the application generates a signed URL to allow the user to download the report. The company's security team has discovered that the files are public and that anyone can download them without authentication. The company has suspended the generation of new reports until the problem is resolved.
Which set of action will immediately remediate the security issue without impacting the application's normal workflow?

Answer options

• A. Create an AWS Lambda function that applies all policy for users who are not authenticated. Create a scheduled event to invoke the Lambda function.
• B. Review the AWS Trusted advisor bucket permissions check and implement the recommend actions.
• C. Run a script that puts a Private ACL on all of the object in the bucket.
• D. Use the Block Public Access feature in Amazon S3 to set the IgnorePublicAcis option to TRUE on the bucket.

Correct answer: B

Explanation

AWS Trusted Advisor actively monitors S3 bucket permissions and flags buckets that have open or public access, offering a direct path to resolve the vulnerability. Following its recommendations allows the security team to quickly secure the bucket without manual scripting or risking disruption to the application's presigned URL generation workflow. Other methods, such as running custom scripts to modify ACLs on all objects, are slow and error-prone, while altering block public access settings without verification could inadvertently block legitimate presigned URL access.