Logo
AWS Certified Solutions Architect - Professional / Question #702 of 529

Question #702

A company needs to audit the security posture of a newly acquired AWS account. The company’s data security team requires a notification only when an Amazon S3 bucket becomes publicly exposed. The company has already established an Amazon Simple Notification Service (Amazon SNS) topic that has the data security team's email address subscribed.

Which solution will meet these requirements?

A

Create an S3 event notification on all S3 buckets for the PutBucketPolicy event. Select the SNS topic as the target for the event notifications.
B

Create an analyzer in AWS Identity and Access Management Access Analyzer. Create an Amazon EventBridge rule for the event type 'Access Analyzer Finding' with a filter for 'isPublic:false.' Select the SNS topic as the EventBridge rule target.
C

Create an Amazon EventBridge rule for the event type 'Bucket-Level API Call via CloudTrail' with a filter for 'PutBucketAcl.' Select the SNS topic as the EventBridge rule target.
D

Activate AWS Config and add the s3-bucket-public-read-prohibited rule. Create an Amazon EventBridge rule for the event type 'Config Rules Compliance Change' with a filter for 'NON_COMPLIANT.' Select the SNS topic as the EventBridge rule target.

Explanation

Option D is correct because AWS Config continuously monitors S3 bucket configurations. The 's3-bucket-public-read-prohibited' rule checks for public access via ACLs or policies. When a bucket becomes non-compliant (public), AWS Config triggers a compliance change event. An EventBridge rule filtered for 'NON_COMPLIANT' sends a notification via the SNS topic, ensuring alerts only for public exposure.

Other options are incorrect:
- A: S3 event notifications on PutBucketPolicy trigger for any policy change, not just public exposure, causing false positives.
- B: IAM Access Analyzer's filter 'isPublic:false' would notify when buckets are not public, opposite of the requirement.
- C: Monitoring PutBucketAcl via CloudTrail misses policy-based public exposure and may alert for non-public ACL changes.

Key Points:
1. AWS Config provides continuous compliance monitoring.
2. The 's3-bucket-public-read-prohibited' rule detects both ACL and policy public access.
3. EventBridge rules can filter AWS Config compliance changes to trigger alerts only for public exposure.

Answer

The correct answer is: D