AWS Certified SysOps Administrator – Associate (legacy) — Question 898

InfoSec is concerned that an employee may expose sensitive data in an Amazon S3 bucket.
How can this concern be addressed without putting undue restrictions on users?

Answer options

• A. Apply an IAM policy on all users that denies the action s3:PutBucketPolicy
• B. Restrict S3 bucket access to specific IAM roles managed using federated access
• C. Activate an AWS Config rule to identify public buckets and alert InfoSec using Amazon SNS
• D. Email the findings of AWS Personal Health Dashboard to InfoSec daily

Correct answer: B

Explanation

Restricting S3 bucket access to specific IAM roles managed through federated access allows for secure, centralized, and role-based access control without imposing unnecessary restrictions on general users. While AWS Config can alert on public buckets, it is a reactive measure rather than a preventative control like federated access management. Denying 's3:PutBucketPolicy' globally might disrupt legitimate administrative tasks, and AWS Personal Health Dashboard is unrelated to S3 bucket access configurations.