AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company needs to review its AWS Cloud deployment to ensure that its Amazon S3 buckets do not have unauthorized configuration changes.
What should a solutions architect do to accomplish this goal?
Other
Community
UAnonymous
A
Turn on AWS Config with the appropriate rules.
B
Turn on AWS Trusted Advisor with the appropriate checks.
D
Turn on Amazon S3 server access logging. Configure Amazon EventBridge (Amazon CloudWatch Events).
Explanation:
Explanation
AWS Config is the correct solution for monitoring configuration changes to AWS resources, including Amazon S3 buckets. Here's why:
Why AWS Config is the right choice:
- Configuration Tracking: AWS Config continuously monitors and records configuration changes to AWS resources
- Compliance Rules: You can create AWS Config rules to evaluate whether your S3 bucket configurations comply with desired settings
- Change Notifications: AWS Config can send notifications when unauthorized configuration changes occur
- Historical Configuration: It maintains a history of configuration changes, allowing you to see what changed, when, and by whom
Why other options are not optimal:
Option B - AWS Trusted Advisor:
- Provides best practice recommendations and cost optimization
- Not designed for real-time monitoring of configuration changes
- Checks are periodic, not continuous
Option C - Amazon Inspector:
- Security assessment service for EC2 instances and container images
- Focuses on vulnerability assessment, not configuration monitoring
- Not designed for S3 bucket configuration tracking
Option D - S3 Server Access Logging + EventBridge:
- S3 server access logging tracks object-level access (GET, PUT, DELETE operations)
- Does not monitor bucket configuration changes (like bucket policies, CORS settings, versioning, etc.)
- EventBridge can react to events but doesn't provide the comprehensive configuration monitoring that AWS Config offers
Best Practice Implementation:
To properly monitor S3 bucket configurations:
- Enable AWS Config in the region where your S3 buckets are located
- Create AWS Config rules specific to S3 (e.g.,
s3-bucket-public-read-prohibited,s3-bucket-public-write-prohibited) - Configure AWS Config to send notifications via Amazon SNS when non-compliant changes are detected
- Use AWS Config's compliance dashboard to view the compliance status of all your S3 buckets
This approach provides continuous monitoring, automated compliance checking, and alerting for unauthorized configuration changes to S3 buckets.
Comments
Loading comments...