ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 3.2: Security ImprovementAWS ConfigSecurityAutomationS3

AWS SAP-C02 · Question 56 · Domain 3.2: Security Improvement

A company has a strict security policy that all Amazon S3 buckets must be encrypted with AWS KMS. They have hundreds of existing buckets across multiple accounts. The security team wants to automatically remediate any bucket that is created without KMS encryption, or any existing bucket that has encryption disabled. What is the MOST scalable and automated way to achieve this?

Answer options:

A.

Create an EventBridge rule to trigger a Lambda function on the CreateBucket API call.

B.

Deploy an AWS Config rule with an automatic remediation action using an SSM Automation document.

C.

Use AWS CloudTrail to search for unencrypted buckets and manually run a script.

D.

Create an SCP that denies s3:PutObject if the encryption header is missing.

How to approach this question

Look for the standard AWS pattern for continuous compliance and automated remediation.

Full Answer

B.Deploy an AWS Config rule with an automatic remediation action using an SSM Automation document.✓ Correct
Deploy an AWS Config rule with an automatic remediation action using an SSM Automation document.
AWS Config is the primary service for continuous compliance. It can evaluate resources against rules (e.g., s3-bucket-server-side-encryption-enabled) and automatically trigger AWS Systems Manager Automation documents to remediate non-compliant resources.

Common mistakes

Choosing EventBridge, which is event-driven but doesn't easily scan existing resources like Config does.
55All questions57

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its network architecture across 50 AWS accounts. They require ...HardQ02A financial services company uses AWS Organizations to manage 100+ accounts. The security team ma...MediumQ03An e-commerce company requires a multi-region active-active architecture for its critical order p...MediumQ04A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that a...HardQ05An enterprise has 50 AWS accounts under AWS Organizations. They want to implement a chargeback mo...Medium
View all 75 questions →