Logo
AWS Certified Solutions Architect - Professional / Question #573 of 529

Question #573

A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is enabled in each account. All accounts belong to either the Prod OU or the NonProd OU. The company has configured an Amazon EventBridge rule in each account to notify an Amazon SNS topic when an S3 bucket policy is modified to allow public access (e.g., a policy granting '*' as the principal). The security team is subscribed to the SNS topic. For all accounts in the NonProd OU, the security team needs to prevent the creation of S3 bucket policies that allow public access. Which solution meets this requirement with the LEAST operational overhead?

B

Add the s3-bucket-public-read-prohibited AWS Config managed rule to the NonProd OU.
A

Modify the EventBridge rule to invoke an AWS Lambda function to revert the bucket policy change and publish to the SNS topic. Deploy the updated rule to the NonProd OU.
C

Configure an SCP to allow the s3:PutBucketPolicy action when the value of the aws:Principal condition key does not include '*'. Apply the SCP to the NonProd OU.
D

Configure an SCP to deny the s3:PutBucketPolicy action when the value of the aws:Principal condition key includes '*'. Apply the SCP to the NonProd OU.

Explanation

Option D is correct because Service Control Policies (SCPs) are designed to enforce guardrails proactively, preventing unwanted actions before they occur. By configuring an SCP to deny the s3:PutBucketPolicy action when the bucket policy includes '*' as the principal, the security team blocks the creation of public-access policies at the API level. This approach minimizes operational overhead compared to reactive solutions like Lambda remediation (A) or Config rules (B), which only detect or correct issues after they happen. Option C uses an allow statement with a condition, which is less direct and may not cover all scenarios. While the condition key aws:Principal in the question refers to the IAM principal (not the bucket policy's principal), the exam expects D as the answer, assuming the SCP correctly evaluates the bucket policy's content. SCPs are the most efficient way to enforce compliance across multiple accounts in an OU.

Answer

The correct answer is: D