AWS Certified DevOps Engineer – Professional — Question 87

A company uses Amazon S3 to store proprietary information. The development team creates buckets for new projects on a daily basis. The security team wants to ensure that all existing and future buckets have encryption, logging, and versioning enabled. Additionally, no buckets should ever be publicly read or write accessible.

What should a DevOps engineer do to meet these requirements?

Answer options

• A. Enable AWS CloudTrail and configure automatic remediation using AWS Lambda.
• B. Enable AWS Config rules and configure automatic remediation using AWS Systems Manager documents.
• C. Enable AWS Trusted Advisor and configure automatic remediation using Amazon CloudWatch Events.
• D. Enable AWS Systems Manager and configure automatic remediation using Systems Manager documents.

Correct answer: B

Explanation

The correct answer is B because AWS Config can continuously monitor the settings of S3 buckets and enforce compliance with the defined rules for encryption, logging, and versioning. Options A, C, and D do not provide the specific functionality needed to ensure these configurations are consistently applied and enforced for all buckets.