Question #642
A company manages multiple AWS accounts under a single AWS Organizations umbrella. Several Amazon S3 buckets across these accounts are missing the required Department tag, which is critical for cost allocation and governance. The cloud team needs to address the existing issue and ensure future compliance. Which combination of actions should be taken? (Choose three.)
Create an AWS Config rule in each account to detect S3 buckets missing the Department tag.
Implement an SCP at the organization level to block creation of S3 buckets without the Department tag.
Use Amazon Inspector to scan all S3 buckets for missing Department tags.
Apply an IAM policy in each account to deny s3:CreateBucket requests without the Department tag.
Set up an AWS Config aggregator to compile a centralized report of non-compliant S3 buckets across the organization.
Use AWS Security Hub to aggregate findings about S3 buckets lacking the Department tag.
Explanation
A: AWS Config rules in each account identify S3 buckets missing the Department tag, enabling detection of non-compliance.
B: SCPs at the organization level prevent the creation of S3 buckets without the required tag, ensuring future compliance.
E: AWS Config Aggregator compiles centralized reports for visibility across all accounts.
Other options:
C: Amazon Inspector focuses on security vulnerabilities, not tagging.
D: IAM policies are account-specific and less efficient than SCPs for organization-wide enforcement.
F: Security Hub aggregates findings but is redundant if Config Aggregator is already used.
Key Points:
- Use AWS Config for compliance checks and reporting.
- SCPs enforce guardrails across all accounts.
- Centralized monitoring ensures governance at scale.
Answer
The correct answer is: ABE