Question #802
An organization needs to audit all Amazon S3 buckets to identify those that are shared with external AWS accounts through ACLs or bucket policies. Which AWS service or resource should be used to fulfill this requirement?
S3 Multi-Region Access Points
S3 Storage Lens
AWS IAM Identity Center (AWS Single Sign-On)
Access Analyzer for S3
Explanation
The correct answer is D. Access Analyzer for S3.
Why D is correct:
- Access Analyzer for S3 is specifically designed to analyze S3 bucket policies and ACLs to detect buckets shared with external AWS accounts or publicly. It generates findings for resources accessible outside the account's AWS organization, fulfilling the auditing requirement.
Why other options are incorrect:
- A. S3 Multi-Region Access Points: Manages access across regions but does not audit permissions.
- B. S3 Storage Lens: Focuses on storage analytics (e.g., usage, costs), not access auditing.
- C. AWS IAM Identity Center: Handles SSO and user authentication, not resource-sharing audits.
Key Points:
- Use Access Analyzer for S3 to audit cross-account sharing via ACLs/bucket policies.
- Other services address access management, storage analytics, or authentication, not auditing external access.
Answer
The correct answer is: D