AWS Certified SysOps Administrator – Associate — Question 392

A SysOps administrator must ensure that all of a company's current and future Amazon S3 buckets have logging enabled. If an S3 bucket does not have logging enabled, an automated process must enable logging for the S3 bucket.

Which solution will meet these requirements?

Answer options

• A. Use AWS Trusted Advisor to perform a check for S3 buckets that do not have logging enabled. Configure the check to enable logging for S3 buckets that do not have logging enabled.
• B. Configure an S3 bucket policy that requires all current and future S3 buckets to have logging enabled.
• C. Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses an AWS Lambda function to enable logging.
• D. Use the s3-bucket-logging-enabled AWS Config managed rule. Add a remediation action that uses the AWS-ConfigureS3BucketLogging AWS Systems Manager Automation runbook to enable logging.

Correct answer: D

Explanation

AWS Config is designed to evaluate resource compliance, and the s3-bucket-logging-enabled managed rule can identify S3 buckets with logging disabled. Coupling this rule with the AWS-ConfigureS3BucketLogging Systems Manager Automation runbook provides a built-in, automated remediation path without the need to write and maintain custom AWS Lambda code. AWS Trusted Advisor does not support automated remediation actions, and S3 bucket policies cannot actively configure logging settings on existing or new buckets.