Q87 — AWS DOP-C02 Ch.2
Question 87 of 100 | ← Chapter 2
A company operates multiple accounts within an AWS Organizations organization. If any account in the organization disables the 'Block Public Access' setting on an Amazon S3 bucket, the company's SecOps team must receive an Amazon Simple Notification Service (Amazon SNS) notification. A DevOps engineer must implement this requirement without impacting any AWS account operations. The implementation must prevent individual member accounts in the organization from disabling notifications.
- A. Designate one account as the delegated Amazon GuardDuty administrator account. Enable GuardDuty across all accounts in the organization. In the GuardDuty administrator account, create an SNS topic and subscribe the SecOps team's email address. Also in that account, create an Amazon EventBridge rule with an event pattern for GuardDuty findings and the SNS topic as the target. ✓
- B. Create an AWS CloudFormation template that creates an SNS topic and subscribes the SecOps team's email address. Include in the template an Amazon EventBridge rule with an event pattern for CloudTrail events of s3:PutBucketPublicAccessBlock and the SNS topic as the target. Deploy the stack to every account in the organization using CloudFormation StackSets.
- C. Enable AWS Config across the entire organization. In the delegated administrator account, create an SNS topic and subscribe the SecOps team's email address. Deploy a conformance pack containing the s3-bucket-level-public-access-prohibited AWS Config managed rule to each account, and use an AWS Systems Manager document to publish events to the SNS topic to notify the SecOps team.
- D. Enable Amazon Inspector across the organization. In the Amazon Inspector delegated administrator account, create an SNS topic and subscribe the SecOps team's email address. In the same account, create an Amazon EventBridge rule with an event pattern for publicly exposed S3 buckets and publish events to the SNS topic to notify the SecOps team.
Correct Answer: A. Designate one account as the delegated Amazon GuardDuty administrator account. Enable GuardDuty across all accounts in the organization. In the GuardDuty administrator account, create an SNS topic and subscribe the SecOps team's email address. Also in that account, create an Amazon EventBridge rule with an event pattern for GuardDuty findings and the SNS topic as the target.
Explanation
Option A enables centralized management distinct from Option B. It leverages Amazon GuardDuty, which natively integrates with Amazon SNS and detects threats in AWS environments. In contrast, Option B requires custom CloudTrail-based EventBridge rules via CloudFormation, increasing complexity and operational overhead for monitoring and maintenance.