Q69 — AWS DOP-C02 Ch.1

Question 69 of 100 | ← Chapter 1

Within an AWS Organization, a company operates multiple accounts. The SecOps team requires Amazon SNS notifications whenever any account disables the Block Public Access setting on an Amazon S3 bucket. A DevOps engineer must implement this change without impacting any AWS account operations. The implementation must prevent individual member accounts from disabling the notification mechanism.

Correct Answer: C. Enable AWS Config across the organization. In the delegated administrator account, create an SNS topic and subscribe the SecOps team’s email. Deploy a conformance pack using the AWS Config managed rule s3-bucket-level-public-access-prohibited and use AWS Systems Manager Documents to publish noncompliance events to the SNS topic.

Explanation

AWS Config is purpose-built for evaluating resource configurations against compliance rules. The managed rule s3-bucket-level-public-access-prohibited directly detects disabled Block Public Access settings. Option C leverages AWS Config’s centralized, organization-wide enforcement, preventing member accounts from disabling monitoring — fulfilling the immutability requirement. Option A misuses GuardDuty (designed for threat detection, not configuration drift). Option B’s StackSets can be overridden by member accounts. Option D’s Inspector does not monitor S3 public access configurations. Hence, Option C is correct.