Q69 — AWS DOP-C02 Ch.1
Question 69 of 100 | ← Chapter 1
Within an AWS Organization, a company operates multiple accounts. The SecOps team requires Amazon SNS notifications whenever any account disables the Block Public Access setting on an Amazon S3 bucket. A DevOps engineer must implement this change without impacting any AWS account operations. The implementation must prevent individual member accounts from disabling the notification mechanism.
- A. Designate an account as the delegated Amazon GuardDuty administrator. Enable GuardDuty across all organization accounts. In the administrator account, create an SNS topic, subscribe the SecOps team’s email address, and create an Amazon EventBridge rule targeting GuardDuty findings with the SNS topic.
- B. Create an AWS CloudFormation template that defines an SNS topic and subscribes the SecOps team’s email. Include an Amazon EventBridge rule matching the CloudTrail event s3:PutBucketPublicAccessBlock, with the SNS topic as target. Deploy the stack across all accounts using CloudFormation StackSets.
- C. Enable AWS Config across the organization. In the delegated administrator account, create an SNS topic and subscribe the SecOps team’s email. Deploy a conformance pack using the AWS Config managed rule s3-bucket-level-public-access-prohibited and use AWS Systems Manager Documents to publish noncompliance events to the SNS topic. ✓
- D. Enable Amazon Inspector across the organization. In the Amazon Inspector delegated administrator account, create an SNS topic and subscribe the SecOps team’s email. Create an Amazon EventBridge rule matching public exposure events for S3 buckets and publish notifications to the SNS topic.
Correct Answer: C. Enable AWS Config across the organization. In the delegated administrator account, create an SNS topic and subscribe the SecOps team’s email. Deploy a conformance pack using the AWS Config managed rule s3-bucket-level-public-access-prohibited and use AWS Systems Manager Documents to publish noncompliance events to the SNS topic.
Explanation
AWS Config is purpose-built for evaluating resource configurations against compliance rules. The managed rule s3-bucket-level-public-access-prohibited directly detects disabled Block Public Access settings. Option C leverages AWS Config’s centralized, organization-wide enforcement, preventing member accounts from disabling monitoring — fulfilling the immutability requirement. Option A misuses GuardDuty (designed for threat detection, not configuration drift). Option B’s StackSets can be overridden by member accounts. Option D’s Inspector does not monitor S3 public access configurations. Hence, Option C is correct.