ExpertAWS SAP-C02 · Question 03 · Domain 1.2: Security Controls
An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amazon S3 buckets across all accounts must block public access. If a bucket is created without this setting, it must be automatically remediated within minutes. Which solution meets these requirements with the LEAST operational overhead?
An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amazon S3 buckets across all accounts must block public access. If a bucket is created without this setting, it must be automatically remediated within minutes. Which solution meets these requirements with the LEAST operational overhead?
Answer options:
Deploy an AWS Lambda function in each account triggered by CloudTrail S3 events to modify bucket policies.
Create an SCP in AWS Organizations to deny the s3:PutBucketPublicAccessBlock action if it attempts to allow public access. Use AWS Config rules with automated remediation to fix existing buckets.
Use AWS Systems Manager Fleet Manager to run a script daily across all accounts to update S3 settings.
Enable Amazon Macie in the management account to automatically block public access on all discovered buckets.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7
75 questions · hints · full answers · grading