Q66 — AWS DOP-C02 Ch.2
Question 66 of 100 | ← Chapter 2
A company uses Amazon S3 to store sensitive information. The development team creates new buckets daily for new projects. The security team wants to ensure that both existing and newly created buckets have encryption, logging, and versioning enabled. Additionally, no bucket should be publicly readable or writable.
- A. Enable AWS CloudTrail and use AWS Lambda to configure automatic remediation.
- B. Enable AWS Config rules and use AWS Systems Manager Documents to configure automatic remediation. ✓
- C. Enable AWS Trusted Advisor and use Amazon CloudWatch Events to configure automatic remediation.
- D. Enable AWS Systems Manager and use Systems Manager Documents to configure automatic remediation.
Correct Answer: B. Enable AWS Config rules and use AWS Systems Manager Documents to configure automatic remediation.
Explanation
AWS Config continuously monitors AWS resource configurations—including Amazon S3 bucket settings—and evaluates them against defined rules (e.g., s3-bucket-server-side-encryption-enabled, s3-bucket-versioning-enabled, s3-bucket-public-read-prohibited). When noncompliant resources are detected, AWS Config can trigger remediation actions. AWS Systems Manager Documents provide standardized, executable runbooks to perform corrective actions—such as enabling encryption, versioning, logging, and updating bucket policies. This combination delivers continuous compliance enforcement with automated, auditable remediation. Options A and C lack native S3 configuration evaluation capabilities. Option D omits AWS Config, which is required for policy-based monitoring.