Logo
AWS Certified Solutions Architect - Professional / Question #939 of 529

Question #939

A company is using AWS Control Tower to manage AWS accounts in an organization in AWS Organizations. The company has an OU containing accounts. The company must prevent any new or existing Amazon S3 buckets in the OU's accounts from being configured with public access. Which solution will meet these requirements?

A

Configure AWS Systems Manager to run automation scripts that detect and remove public access settings from all S3 buckets in the OU's accounts. Schedule the automation to run periodically.
B

Implement the AWS Control Tower proactive control to check whether S3 buckets in the OU's accounts have public access enabled. Set the BlockPublicAccess property to true. Attach the proactive control to the OU.
C

Create an SCP that denies the s3:PutBucketPolicy and s3:PutBucketPublicAccessBlock actions for all buckets in the OU's accounts. Attach the SCP to the OU.
D

Create an AWS Config custom rule to detect S3 buckets with public access enabled. Configure a remediation action using AWS Lambda to enforce Block Public Access settings on non-compliant buckets.

Explanation

Option C is correct because Service Control Policies (SCPs) in AWS Organizations can explicitly deny the ability to modify S3 bucket policies (s3:PutBucketPolicy) and public access block settings (s3:PutBucketPublicAccessBlock). By attaching this SCP to the OU, all accounts within it are prevented from configuring public access on any S3 buckets, both new and existing. This is a preventive measure that blocks the root cause of public access configuration.

Other options are incorrect because:
- A relies on periodic automation, leaving a window where buckets could be public.
- B refers to proactive controls, which may only check compliance during resource creation and not enforce Block Public Access retroactively on existing buckets.
- D uses AWS Config for remediation, which is reactive and introduces delays.

Key Points:
1. SCPs enforce permissions across all accounts in an OU.
2. Denying s3:PutBucketPolicy and s3:PutBucketPublicAccessBlock prevents public access configuration.
3. Preventive controls (SCPs) are more effective than reactive solutions for compliance.

Answer

The correct answer is: C