Question #1006
A developer needs to ensure that all sensitive files stored in an Amazon S3 bucket are encrypted. The solution must automatically detect any unencrypted files and send alerts if security violations occur. Which solution meets these requirements?
Use AWS Config to enable S3 bucket encryption checks. Create a rule to detect unencrypted objects. Set up Amazon SNS to notify when the rule is non-compliant.
Enable Amazon Macie for the S3 bucket. Configure a classification job to identify unencrypted sensitive files. Use Amazon EventBridge to trigger notifications when Macie findings are generated.
Deploy AWS CloudTrail to monitor S3 API activity. Create a Lambda function to analyze logs for unencrypted uploads. Configure the function to send alerts via SNS when issues are found.
Set up Amazon GuardDuty to monitor the S3 bucket. Configure GuardDuty to detect unencrypted objects and integrate with Lambda to send notifications via SES.
Explanation
Option B is correct because Amazon Macie specializes in data security and privacy, using machine learning to identify sensitive unencrypted files in S3 buckets. It scans both existing and new objects, ensuring comprehensive detection. EventBridge triggers notifications based on Macie findings, enabling immediate alerts.
Other options are incorrect because:
- A: AWS Config checks bucket-level encryption settings, not individual object encryption.
- C: CloudTrail + Lambda only monitors API activity (reactive) and may miss existing unencrypted files.
- D: GuardDuty focuses on threat detection, not encryption status validation.
Key Points:
1. Macie scans object-level encryption and sensitive data.
2. EventBridge integrates with Macie for automated alerts.
3. Managed services (Macie) reduce custom scripting efforts.
Answer
The correct answer is: B