exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 119 discussion

A company has AWS accounts that are in an organization in AWS Organizations. An Amazon S3 bucket in one of the accounts is publicly accessible.

A security engineer must change the configuration so that the S3 bucket is no longer publicly accessible. The security engineer also must ensure that the S3 bucket cannot be made publicly accessible in the future.

Which solution will meet these requirements?

  • A. Configure the S3 bucket to use an AWS Key Management Service (AWS KMS) key. Encrypt all objects in the S3 bucket by creating a bucket policy that enforces encryption. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.
  • B. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account.
  • C. Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.
  • D. Configure the S3 bucket to use S3 Object Lock in governance mode. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
helloworldabc
2 months, 2 weeks ago
just B
upvoted 1 times
...
Olaunfazed
5 months, 1 week ago
Answer is B Enabling the PublicAccessBlock configuration on the S3 bucket prevents public access. Additionally, configuring an SCP (Service Control Policy) to deny the s3:GetObject action for the organizational unit (OU) containing the AWS account ensures that the bucket remains private.
upvoted 1 times
Davidng88
2 months, 3 weeks ago
By configuring an SCP to deny the s3:GetObject action prevents accessing S3 objects from public, but deny the s3:PutPublicAccessBlock action, prevent any changes to the disable PublicAccessBlock settings, ensuring that the bucket remains private in future.
upvoted 1 times
...
...
sema2232
5 months, 3 weeks ago
why not B?
upvoted 1 times
...
aescudero51
6 months, 2 weeks ago
Selected Answer: C
Enable PublicAccessBlock Configuration: https://aws.amazon.com/s3/features/block-public-access/?nc1=h_ls Configure an SCP (Service Control Policy): An SCP is a policy that you can attach to an AWS Organization, organizational unit (OU), or an account. It acts as a guardrail to control permissions across accounts. In your case, you want to deny the s3:PutPublicAccessBlock action for the OU containing your AWS account. Go to the AWS Organizations console. Navigate to the OU that contains your account. Create a new SCP or edit an existing one. Add a statement that denies the s3:PutPublicAccessBlock action for the relevant S3 buckets. Attach the SCP to the OU. Ensure that your AWS account is part of the OU.
upvoted 2 times
...
Zek
6 months, 3 weeks ago
C Enable the PublicAccessBlock & use SCP to deny the s3:PutPublicAccessBlock action
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...