Explanation:
The correct answer is D. Using the S3 Block Public Access feature at the account level ensures that no S3 buckets or objects can be made public, providing a comprehensive and fail-safe solution. Additionally, using AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting ensures that no accidental or unauthorized modifications can bypass this protection. This approach provides both a technical and administrative safeguard against public exposure of S3 objects.
Ultimate access to all questions.
How can an image-hosting company ensure that all objects in its Amazon S3 buckets remain private and avoid accidental public exposure?
A
Monitor S3 bucket policies with Amazon GuardDuty and set up an AWS Lambda function for automatic remediation of public access changes.
B
Utilize AWS Trusted Advisor to identify publicly accessible S3 buckets, set up email alerts, and manually adjust bucket policies as needed.
C
Employ AWS Resource Access Manager to detect publicly accessible S3 buckets, use Amazon SNS to trigger a Lambda function for automated remediation upon policy change detection.
D
Implement the S3 Block Public Access feature at the account level and enforce a service control policy via AWS Organizations to restrict IAM users from altering this setting.
No comments yet.