AWS Certified SysOps Administrator – Associate — Question 317

A company wants to store sensitive financial data within Amazon S3 buckets. The company has a corporate policy that does not allow public read or write access to the buckets. A SysOps administrator must create a solution to automatically remove S3 permissions that allow public read or write access.

Which AWS service should the SysOps administrator use to meet these requirements in the MOST operationally efficient manner?

Answer options

• A. AWS Config
• B. AWS Security Hub
• C. AWS Trusted Advisor
• D. Amazon Inspector

Correct answer: A

Explanation

AWS Config is the ideal service because it allows administrators to deploy managed rules that monitor S3 bucket configurations and trigger automatic remediation via AWS Systems Manager Automation documents to revoke public access. While AWS Security Hub, AWS Trusted Advisor, and Amazon Inspector can identify and report public buckets, they do not offer the same native, out-of-the-box compliance monitoring and automated remediation workflow as AWS Config.