Q43 — AWS DOP-C02 Ch.3

Question 43 of 100 | ← Chapter 3

A company uses Amazon S3 to store sensitive information. The development team creates new buckets daily for new projects. The security team wants to ensure that both existing and newly created buckets have encryption, logging, and versioning enabled. Additionally, no bucket should be publicly writable.

Correct Answer: B. Enable AWS Config rules using AWS Systems Manager Documents and configure automatic remediation.

Explanation

This question tests methods for ensuring S3 bucket configuration compliance using AWS services. AWS documentation states that AWS Config evaluates whether resources comply with predefined rules and, when integrated with Systems Manager Automation, enables automatic remediation. Option B uses AWS Config to continuously monitor bucket configurations; when encryption, logging, or versioning is found disabled, it triggers a Systems Manager Document to perform automatic remediation. Other options are incorrect: CloudTrail (A) lacks automatic remediation capability, Trusted Advisor (C) provides only recommendations, and Systems Manager alone (D) does not specify integration with Config.