AWS Certified SysOps Administrator – Associate — Question 158

A SysOps administrator has blocked public access to all company Amazon S3 buckets. The SysOps administrator wants to be notified when an S3 bucket becomes publicly readable in the future.

What is the MOST operationally efficient way to meet this requirement?

Answer options

• A. Create an AWS Lambda function that periodically checks the public access settings for each S3 bucket. Set up Amazon Simple Notification Service (Amazon SNS) to send notifications.
• B. Create a cron script that uses the S3 API to check the public access settings for each S3 bucket. Set up Amazon Simple Notification Service (Amazon SNS) to send notifications.
• C. Enable S3 Event Notifications for each S3 bucket. Subscribe S3 Event Notifications to an Amazon Simple Notification Service (Amazon SNS) topic.
• D. Enable the s3-bucket-public-read-prohibited managed rule in AWS Config. Subscribe the AWS Config rule to an Amazon Simple Notification Service (Amazon SNS) topic.

Correct answer: D

Explanation

The correct answer is D because enabling the s3-bucket-public-read-prohibited managed rule in AWS Config provides a proactive measure to monitor and notify when any S3 bucket is made publicly readable. The other options involve periodic checks or scripts that are less efficient and do not provide real-time monitoring compared to AWS Config's built-in capabilities.