ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 430 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 430
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A Company had a security event whereby an Amazon S3 bucket with sensitive information was made public. Company policy is to never have public S3 objects, and the Compliance team must be informed immediately when any public objects are identified.
How can the presence of a public S3 object be detected, set to trigger alarm notifications, and automatically remediated in the future? (Choose two.)

  • A. Turn on object-level logging for Amazon S3. Turn on Amazon S3 event notifications to notify by using an Amazon SNS topic when a PutObject API call is made with a public-read permission.
  • B. Configure an Amazon CloudWatch Events rule that invokes an AWS Lambda function to secure the S3 bucket.
  • C. Use the S3 bucket permissions for AWS Trusted Advisor and configure a CloudWatch event to notify by using Amazon SNS.
  • D. Turn on object-level logging for Amazon S3. Configure a CloudWatch event to notify by using an SNS topic when a PutObject API call with public-read permission is detected in the AWS CloudTrail logs.
  • E. Schedule a recursive Lambda function to regularly change all object permissions inside the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by awsec2 at Sept. 12, 2019, 11:18 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 3 months ago
A: There is a possibility that the event may be missed using this method. Amazon S3 event notifications typically deliver events in seconds but can sometimes take a minute or longer. On very rare occasions, events might be lost. https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html B: This actively remediate the public access. https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/ C: This is possible but not complete. This Trusted Advisor check doesn't monitor for bucket policies that override bucket ACLs. https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/#security https://willhamill.com/2018/02/19/get-alerts-when-an-s3-bucket-is-made-public-in-your-aws-account D: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/log-s3-data-events.html E: Not feasible.
upvoted 29 times
donathon
3 years, 3 months ago
Answer is BD BTW.
upvoted 17 times
...
Moon
3 years, 3 months ago
Good resources... Support "B & D" too.
upvoted 6 times
...
Waiweng
3 years, 2 months ago
B D it's good
upvoted 5 times
...
awsenthu
3 years, 3 months ago
cloudtrail will take 15min to deliver the logs, my take is A and B https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html
upvoted 2 times
...
Load full discussion...
...
awsec2
Highly Voted 3 years, 3 months ago
b,d https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/
upvoted 14 times
dpvnme
3 years, 3 months ago
yes, A is not possible with S3 event notification
upvoted 4 times
...
...
SkyZeroZx
Most Recent 1 year, 6 months ago
Selected Answer: BD
B D it's good
upvoted 1 times
...
niu_tim
2 years, 11 months ago
A is not correct, the permission can't be detected by event notification. Event format is here:https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-content-structure.html
upvoted 7 times
...
AzureDP900
3 years, 1 month ago
I will go with BD
upvoted 1 times
...
vbal
3 years, 1 month ago
demand of this 'How can the existence of a public S3 item be recognized' mean D & not C
upvoted 1 times
...
vbal
3 years, 1 month ago
B&C ; https://aws.amazon.com/about-aws/whats-new/2018/02/aws-trusted-advisors-s3-bucket-permissions-check-is-now-free/
upvoted 1 times
...
andylogan
3 years, 2 months ago
It's B D
upvoted 1 times
...
amithbti416
3 years, 2 months ago
B and D Amazon CloudWatch Events to detect PutObject and PutObjectAcl API calls in near real time and helps ensure that the objects remain private by making automatic PutObjectAcl calls, when necessary.
upvoted 1 times
...
WhyIronMan
3 years, 2 months ago
I'll go with B,D
upvoted 1 times
...
ExtHo
3 years, 2 months ago
Any Thought on A,D many peoples referring as "On very rare occasions, events might be lost" to rule out A on https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html I don't found event might be lost Important Amazon S3 event notifications are designed to be delivered at least once. Typically, event notifications are delivered in seconds but can sometimes take a minute or longer.
upvoted 2 times
...
AJBA
3 years, 2 months ago
Definitely BD
upvoted 1 times
...
Kian1
3 years, 2 months ago
will go with B&D
upvoted 2 times
...
Ebi
3 years, 2 months ago
BD are the right ones
upvoted 3 times
...
sanjaym
3 years, 2 months ago
I'll go with BD
upvoted 1 times
...
T14102020
3 years, 2 months ago
Correct is BD.
upvoted 2 times
...
jackdryan
3 years, 2 months ago
I'll go with B,D
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago