Q66 — AWS DOP-C02 Ch.2

Question 66 of 100 | ← Chapter 2

A company uses Amazon S3 to store sensitive information. The development team creates new buckets daily for new projects. The security team wants to ensure that both existing and newly created buckets have encryption, logging, and versioning enabled. Additionally, no bucket should be publicly readable or writable.

Correct Answer: B. Enable AWS Config rules and use AWS Systems Manager Documents to configure automatic remediation.

Explanation

AWS Config continuously monitors AWS resource configurations—including Amazon S3 bucket settings—and evaluates them against defined rules (e.g., s3-bucket-server-side-encryption-enabled, s3-bucket-versioning-enabled, s3-bucket-public-read-prohibited). When noncompliant resources are detected, AWS Config can trigger remediation actions. AWS Systems Manager Documents provide standardized, executable runbooks to perform corrective actions—such as enabling encryption, versioning, logging, and updating bucket policies. This combination delivers continuous compliance enforcement with automated, auditable remediation. Options A and C lack native S3 configuration evaluation capabilities. Option D omits AWS Config, which is required for policy-based monitoring.