A company with multiple accounts in AWS Organizations requires an implementation that ensures the SecOps team receives an Amazon SNS notification when any account disables the Block Public Access feature on an Amazon S3 bucket. This implementation must be done without disrupting the operations of any AWS accounts and must prevent individual member accounts from disabling the notification. Which solution meets these requirements?

Exam-Like

Designate an account as the delegated Amazon GuardDuty administrator account, enable GuardDuty for all accounts in the organization, create an SNS topic in the GuardDuty administrator account, subscribe the SecOps team's email to the SNS topic, and create an Amazon EventBridge rule in the same account with an event pattern for GuardDuty findings targeting the SNS topic.

25.0%

Create an AWS CloudFormation template that sets up an SNS topic and subscribes the SecOps team’s email to it, includes an Amazon EventBridge rule with an event pattern for CloudTrail activity related to s3:PutBucketPublicAccessBlock, and deploys the stack to all accounts in the organization using CloudFormation StackSets.

25.0%

Enable AWS Config across the organization, create an SNS topic in the delegated administrator account, subscribe the SecOps team's email to the SNS topic, and deploy a conformance pack using the s3-bucket-level-public-access-prohibited AWS Config managed rule in each account, with an AWS Systems Manager document to publish an event to the SNS topic notifying the SecOps team.

50.0%

Enable Amazon Inspector across the organization, create an SNS topic in the Amazon Inspector delegated administrator account, subscribe the SecOps team’s email to the SNS topic, and create an Amazon EventBridge rule in the same account with an event pattern for public network exposure of the S3 bucket, publishing an event to the SNS topic to notify the SecOps team.

0.0%

AWS Certified DevOps Engineer - Professional

Get started today

Comments