ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 173 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 173
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company needs to audit the security posture of a newly acquired AWS account. The company’s data security team requires a notification only when an Amazon S3 bucket becomes publicly exposed. The company has already established an Amazon Simple Notification Service (Amazon SNS) topic that has the data security team's email address subscribed.

Which solution will meet these requirements?

  • A. Create an S3 event notification on all S3 buckets for the isPublic event. Select the SNS topic as the target for the event notifications.
  • B. Create an analyzer in AWS Identity and Access Management Access Analyzer. Create an Amazon EventBridge rule for the event type “Access Analyzer Finding” with a filter for “isPublic: true.” Select the SNS topic as the EventBridge rule target.
  • C. Create an Amazon EventBridge rule for the event type “Bucket-Level API Call via CloudTrail” with a filter for “PutBucketPolicy.” Select the SNS topic as the EventBridge rule target.
  • D. Activate AWS Config and add the cloudtrail-s3-dataevents-enabled rule. Create an Amazon EventBridge rule for the event type “Config Rules Re-evaluation Status” with a filter for “NON_COMPLIANT.” Select the SNS topic as the EventBridge rule target.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by spd at Feb. 14, 2023, 1:26 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dkx
Highly Voted 1 year, 3 months ago
A. No, because Amazon S3 can NOT currently publish notifications for isPublic events. https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventNotifications.html B. Yes, because IAM Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts https://aws.amazon.com/blogs/security/how-to-prioritize-iam-access-analyzer-findings/ C. No, because PutBucketPolicy notifies us of an Amazon S3 bucket policy event to an Amazon S3 bucket, and we are looking for a SPECIFIC event to the bucket permissions, not ALL events. D. No, because cloudtrail-s3-dataevents-enabled checks if at least one AWS CloudTrail trail is logging Amazon Simple Storage Service (Amazon S3) data events for all S3 buckets. https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html
upvoted 14 times
...
God_Is_Love
Highly Voted 1 year, 7 months ago
Selected Answer: B
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html
upvoted 12 times
God_Is_Love
1 year, 7 months ago
Click on the "Create rule" button. Enter a name for the rule and a brief description, if desired. Under "Define pattern", select "Event pattern". Select "Custom pattern". In the "Event pattern" field, enter the following code: { "source": ["aws.securityhub"], "detail-type": ["Access Analyzer Finding"], "detail": { "findings": [ { "isPublic": [ true ] } ] } } This code will match all Access Analyzer Finding events where the "isPublic" field is set to "true".
upvoted 8 times
...
...
AimarLeo
Most Recent 9 months ago
This question.. is seriously ! a googling one
upvoted 1 times
...
dkcloudguru
1 year, 1 month ago
Option B
upvoted 1 times
...
NikkyDicky
1 year, 3 months ago
Selected Answer: B
it's B
upvoted 2 times
...
Maria2023
1 year, 4 months ago
Selected Answer: B
Ideally, I would use config rule, but here, of course, they suggest the wrong rule. The other option remains the access analyzer
upvoted 1 times
...
SkyZeroZx
1 year, 4 months ago
Selected Answer: B
keyword = AWS Identity and Access Management Access Analyzer then B
upvoted 2 times
...
leehjworking
1 year, 5 months ago
Selected Answer: B
The code by God_is_love did not worked for me. I guess something has been changed. The following code worked in my environment. { "source":["aws.access-analyzer"], "detail-type":["Access Analyzer Finding"], "detail": { "isPublic":[true] } }
upvoted 1 times
...
SkyZeroZx
1 year, 5 months ago
Selected Answer: B
Aws is letter B Previous writing is a error
upvoted 1 times
...
SkyZeroZx
1 year, 5 months ago
Letter C
upvoted 1 times
SkyZeroZx
1 year, 5 months ago
Solution D will not meet the requirements because it will notify the data security team whenever an S3 bucket is not compliant with the cloudtrail-s3-dataevents-enabled rule, even if the bucket is not publicly exposed. The cloudtrail-s3-dataevents-enabled rule checks if at least one AWS CloudTrail trail is logging Amazon Simple Storage Service (Amazon S3) data events for all S3 buckets. If a bucket is not compliant with this rule, it does not mean that the bucket is publicly exposed. The bucket may simply not be logging S3 data events.
upvoted 2 times
SkyZeroZx
1 year, 5 months ago
Here are some reasons why an S3 bucket may not be logging S3 data events: The bucket may not have a CloudTrail trail associated with it. The CloudTrail trail for the bucket may not be enabled. The CloudTrail trail for the bucket may not be configured to log S3 data events. If the data security team is only interested in being notified when an S3 bucket becomes publicly exposed, then solution D is not the best solution. Solution B is a better solution because it will only notify the data security team when an S3 bucket becomes publicly exposed.
upvoted 1 times
...
...
...
y0eri
1 year, 5 months ago
Selected Answer: B
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-eventbridge.html
upvoted 1 times
...
mfsec
1 year, 7 months ago
Selected Answer: B
B eventbirdge and access analyser
upvoted 2 times
...
c73bf38
1 year, 8 months ago
Selected Answer: B
B is the correct solution because it uses AWS Identity and Access Management Access Analyzer to continuously monitor access control configurations and detect whether any S3 buckets have been configured to be publicly accessible. When a publicly accessible bucket is detected, an Amazon EventBridge rule is triggered, and the SNS topic is notified with the finding.
upvoted 7 times
...
masssa
1 year, 8 months ago
Selected Answer: B
Access Analyzer is to assess the access policy. https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/access-control-block-public-access.html
upvoted 2 times
...
[Removed]
1 year, 8 months ago
Selected Answer: B
https://aws.amazon.com/blogs/security/how-to-use-aws-iam-access-analyzer-api-to-automate-detection-of-public-access-to-aws-kms-keys/
upvoted 2 times
...
mdijoux25
1 year, 8 months ago
Selected Answer: B
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html
upvoted 2 times
...
spd
1 year, 8 months ago
Selected Answer: D
D by elimination rule
upvoted 2 times
Jay_2pt0_1
1 year, 5 months ago
I thought D, as well, but it seems everyone else things Access Analyzer.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago