AWS Certified SysOps Administrator – Associate (legacy) — Question 769

A company's auditor implemented a compliance requirement that all Amazon S3 buckets must have logging enabled. A SysOps administrator is tasked to ensure this compliance requirement is met, while still permitting developers to create and use new S3 buckets.
Which action should be taken to accomplish this?

Answer options

• A. Add AWS CloudTrail logging for the S3 buckets.
• B. Implement IAM policies to allow only the storage team to create S3 buckets.
• C. Add the S3_BUCKET_LOGGING_ENABLED AWS Config managed rule.
• D. Create an AWS Lambda function to delete the S3 buckets if logging is not turned on.

Correct answer: C

Explanation

The AWS Config managed rule S3_BUCKET_LOGGING_ENABLED continuously evaluates whether Amazon S3 buckets have logging active, allowing the administrator to track compliance without restricting developer access. Restricting bucket creation with IAM policies would prevent developers from working efficiently, which violates the scenario's requirements. Automatically deleting non-compliant buckets with Lambda is too disruptive, and CloudTrail logging tracks API activity rather than evaluating bucket configuration compliance.