Q49 — AWS SCS-C02 Ch.1
Question 49 of 100 | ← Chapter 1
A company has AWS accounts that are in an organization in AWS Organizations. An Amazon S3 bucket in one of the accounts is publicly accessible. A security engineer must change the configuration so that the S3 bucket is no longer publicly accessible. The security engineer also must ensure that the S3 bucket cannot be made publicly accessible in the future. Which solution will meet these requirements?
- A. Configure the S3 bucket to use an AWS Key Management Service (AWS KMS) key. Encrypt all objects in the S3 bucket by creating a bucket policy that enforces encryption. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.  
- B. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.  
- C. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.   ✓
- D. Configure the S3 bucket to use S3 Object Lock in governance mode. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.
Correct Answer: C. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.  
Explanation
Amazon S3的PublicAccessBlock设置用于防止存储桶或对象的公共访问权限被修改。通过启用此配置并配合服务控制策略(SCP)限制s3:PutPublicAccessBlock操作,可以确保当前存储桶无法公开访问,并阻止未来可能的权限变更。选项C中的做法直接针对维护存储桶的公共访问权限控制,而其他选项要么未能有效限制权限修改,要么使用了不相关功能如加密或Object Lock。参考AWS文档,PublicAccessBlock和SCP结合使用是推荐的最佳实践,用于严格管理存储桶的公共访问状态。