Answer-first summary for fast verification
Answer: Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.
## Explanation **Correct Answer: D** The S3 Block Public Access feature at the account level provides the most comprehensive and proactive solution to prevent accidental public exposure of S3 objects. Here's why: ### Why Option D is Correct: 1. **S3 Block Public Access at Account Level**: This feature prevents any public access to S3 buckets across the entire AWS account, regardless of individual bucket policies or ACLs. It acts as a safety net. 2. **AWS Organizations SCP**: The Service Control Policy (SCP) prevents IAM users from changing the S3 Block Public Access settings, ensuring the protection remains in place. 3. **Proactive Prevention**: Unlike monitoring and remediation approaches, this solution prevents the problem from occurring in the first place. ### Why Other Options are Incorrect: **Option A (Amazon GuardDuty)**: - GuardDuty is a threat detection service, not a prevention tool - It monitors for suspicious activity but doesn't prevent public access - Remediation after detection still leaves a window of exposure **Option B (AWS Trusted Advisor)**: - Trusted Advisor provides recommendations but is not a prevention tool - Manual remediation is slow and error-prone - Email notifications don't prevent accidental exposure **Option C (AWS Resource Access Manager)**: - RAM is for sharing resources across accounts, not for security monitoring - This approach uses incorrect services for the requirement - Complex setup with multiple services when simpler solutions exist ### Key AWS Concepts: - **S3 Block Public Access**: A centralized control that overrides all other permissions settings - **Service Control Policies (SCPs)**: Centralized policies in AWS Organizations that set maximum permissions for accounts - **Defense in Depth**: The solution implements multiple layers of protection (prevention + policy enforcement) This solution aligns with AWS security best practices by using built-in, account-level controls rather than complex monitoring and remediation workflows.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
An image-hosting company stores its objects in Amazon S3 buckets. The company wants to avoid accidental exposure of the objects in the S3 buckets to the public. All S3 objects in the entire AWS account need to remain private.
Which solution will meet these requirements?
A
Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses an AWS Lambda function to remediate any change that makes the objects public.
B
Use AWS Trusted Advisor to find publicly accessible S3 buckets. Configure email notifications in Trusted Advisor when a change is detected. Manually change the S3 bucket policy if it allows public access.
C
Use AWS Resource Access Manager to find publicly accessible S3 buckets. Use Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function when a change is detected. Deploy a Lambda function that programmatically remediates the change.
D
Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.