Q43 — AWS DOP-C02 Ch.3
Question 43 of 100 | ← Chapter 3
A company uses Amazon S3 to store sensitive information. The development team creates new buckets daily for new projects. The security team wants to ensure that both existing and newly created buckets have encryption, logging, and versioning enabled. Additionally, no bucket should be publicly writable.
- A. Enable AWS CloudTrail and configure automatic remediation using AWS Lambda.
- B. Enable AWS Config rules using AWS Systems Manager Documents and configure automatic remediation. ✓
- C. Enable AWS Trusted Advisor using Amazon EventBridge and configure automatic remediation.
- D. Enable AWS Systems Manager and configure automatic remediation using Systems Manager Documents.
Correct Answer: B. Enable AWS Config rules using AWS Systems Manager Documents and configure automatic remediation.
Explanation
This question tests methods for ensuring S3 bucket configuration compliance using AWS services. AWS documentation states that AWS Config evaluates whether resources comply with predefined rules and, when integrated with Systems Manager Automation, enables automatic remediation. Option B uses AWS Config to continuously monitor bucket configurations; when encryption, logging, or versioning is found disabled, it triggers a Systems Manager Document to perform automatic remediation. Other options are incorrect: CloudTrail (A) lacks automatic remediation capability, Trusted Advisor (C) provides only recommendations, and Systems Manager alone (D) does not specify integration with Config.