Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 430 discussion

A Company had a security event whereby an Amazon S3 bucket with sensitive information was made public. Company policy is to never have public S3 objects, and the Compliance team must be informed immediately when any public objects are identified.
How can the presence of a public S3 object be detected, set to trigger alarm notifications, and automatically remediated in the future? (Choose two.)

  • A. Turn on object-level logging for Amazon S3. Turn on Amazon S3 event notifications to notify by using an Amazon SNS topic when a PutObject API call is made with a public-read permission.
  • B. Configure an Amazon CloudWatch Events rule that invokes an AWS Lambda function to secure the S3 bucket.
  • C. Use the S3 bucket permissions for AWS Trusted Advisor and configure a CloudWatch event to notify by using Amazon SNS.
  • D. Turn on object-level logging for Amazon S3. Configure a CloudWatch event to notify by using an SNS topic when a PutObject API call with public-read permission is detected in the AWS CloudTrail logs.
  • E. Schedule a recursive Lambda function to regularly change all object permissions inside the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
donathon
Highly Voted 3 years, 2 months ago
A: There is a possibility that the event may be missed using this method. Amazon S3 event notifications typically deliver events in seconds but can sometimes take a minute or longer. On very rare occasions, events might be lost. https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html B: This actively remediate the public access. https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/ C: This is possible but not complete. This Trusted Advisor check doesn't monitor for bucket policies that override bucket ACLs. https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/#security https://willhamill.com/2018/02/19/get-alerts-when-an-s3-bucket-is-made-public-in-your-aws-account D: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/log-s3-data-events.html E: Not feasible.
upvoted 29 times
donathon
3 years, 2 months ago
Answer is BD BTW.
upvoted 17 times
...
Moon
3 years, 2 months ago
Good resources... Support "B & D" too.
upvoted 6 times
...
Waiweng
3 years ago
B D it's good
upvoted 5 times
...
awsenthu
3 years, 1 month ago
cloudtrail will take 15min to deliver the logs, my take is A and B https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html
upvoted 2 times
...
...
awsec2
Highly Voted 3 years, 2 months ago
b,d https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/
upvoted 14 times
dpvnme
3 years, 2 months ago
yes, A is not possible with S3 event notification
upvoted 4 times
...
...
SkyZeroZx
Most Recent 1 year, 5 months ago
Selected Answer: BD
B D it's good
upvoted 1 times
...
niu_tim
2 years, 9 months ago
A is not correct, the permission can't be detected by event notification. Event format is here:https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-content-structure.html
upvoted 7 times
...
AzureDP900
2 years, 11 months ago
I will go with BD
upvoted 1 times
...
vbal
2 years, 11 months ago
demand of this 'How can the existence of a public S3 item be recognized' mean D & not C
upvoted 1 times
...
vbal
2 years, 11 months ago
B&C ; https://aws.amazon.com/about-aws/whats-new/2018/02/aws-trusted-advisors-s3-bucket-permissions-check-is-now-free/
upvoted 1 times
...
andylogan
3 years ago
It's B D
upvoted 1 times
...
amithbti416
3 years ago
B and D Amazon CloudWatch Events to detect PutObject and PutObjectAcl API calls in near real time and helps ensure that the objects remain private by making automatic PutObjectAcl calls, when necessary.
upvoted 1 times
...
WhyIronMan
3 years ago
I'll go with B,D
upvoted 1 times
...
ExtHo
3 years ago
Any Thought on A,D many peoples referring as "On very rare occasions, events might be lost" to rule out A on https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html I don't found event might be lost Important Amazon S3 event notifications are designed to be delivered at least once. Typically, event notifications are delivered in seconds but can sometimes take a minute or longer.
upvoted 2 times
...
AJBA
3 years ago
Definitely BD
upvoted 1 times
...
Kian1
3 years, 1 month ago
will go with B&D
upvoted 2 times
...
Ebi
3 years, 1 month ago
BD are the right ones
upvoted 3 times
...
sanjaym
3 years, 1 month ago
I'll go with BD
upvoted 1 times
...
T14102020
3 years, 1 month ago
Correct is BD.
upvoted 2 times
...
jackdryan
3 years, 1 month ago
I'll go with B,D
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...