Q66 — AWS SCS-C02 Ch.1
Question 66 of 100 | ← Chapter 1
A company uses AWS Cong rules to identify Amazon S3 buckets that are not compliant with the company’s data protection policy. The S3 buckets are hosted in several AWS Regions and several AWS accounts. The accounts are in an organization in AWS Organizations. The company needs a solution to remediate the organization’s existing noncompliant S3 buckets and any noncompliant S3 buckets that are created in the future. Which solution will meet these requirements?
- A. Deploy an AWS Cong aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Cong ndings of noncompliant S3 buckets by deleting or reconguring the S3 buckets. ✓
- B. Deploy an AWS Cong aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.
- C. Deploy an AWS Cong aggregator that scopes only the accounts and Regions that the company currently uses. Create an AWS Lambda function that responds to AWS Cong ndings of noncompliant S3 buckets by deleting or reconguring the S3 buckets.
- D. Deploy an AWS Cong aggregator that scopes only the accounts and Regions that the company currently uses. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization.
Correct Answer: A. Deploy an AWS Cong aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Cong ndings of noncompliant S3 buckets by deleting or reconguring the S3 buckets.
Explanation
AWS Config用于监控资源配置合规性,题目要求跨区域、跨账户集中监控并及时修复现有及未来不合规的S3存储桶。根据AWS最佳实践,组织范围内(organization-wide)的Config聚合器可收集所有成员账户和区域的数据,聚合后统一触发Lambda自动修复操作(删除或重新配置)。SCP虽能限制新资源创建,但无法处理已有资源且配置复杂。选项A通过Lambda实时响应Config的合规评估结果,覆盖现有及未来资源;其他选项或聚合范围不足(C、D)或依赖SCP忽略现有资源(B、D)。正确答案选A。