A company is hosting sensitive data in an AWS S3 bucket.
It needs to be ensured that the objects in the bucket always remain private.
How can this be ensured continually? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A and B.
Option A is CORRECT because AWS Config helps keep track of changes to the S3 bucket.
Any changes made, can produce an alert using the AWS CloudWatch event or SNS topic.
Option B is CORRECT because if the bucket objects are found to allow public access, the Lambda function overwrites it to be private.
Option C is incorrect because AWS Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps, but it cannot be used to detect changes on the S3 bucket and revert it back to the desired state.
Option D is incorrect because the SNS notifications do not automatically fix the incorrect S3 configurations.
In this scenario, a Lambda function is required to modify the S3 bucket policy.
For more information on the implementation of this use case, kindly refer to the following URLs:
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/ https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/To ensure that objects in an AWS S3 bucket remain private, the following two options can be used:
Use AWS Config to monitor changes to the S3 Bucket: AWS Config is a service that provides a detailed view of the resources in an AWS account, including their relationships, current configuration, and historical changes. With AWS Config, you can monitor changes to the S3 bucket configuration, including changes to access policies, bucket policies, and encryption settings. You can also set up alerts and notifications when changes occur, so you can take action to ensure that the objects in the bucket remain private.
Use the AWS Lambda function to change the S3 bucket policy: AWS Lambda is a service that allows you to run code in response to events in other AWS services, such as S3. You can create a Lambda function that monitors changes to the bucket policy and automatically updates it to ensure that the objects in the bucket remain private. For example, you can write a Lambda function that automatically adds a deny statement to the bucket policy whenever a public access configuration is detected.
The other options given are not relevant to the task at hand. AWS Trusted Advisor API provides best practices and guidance for AWS resources, but it does not monitor changes to the S3 bucket configuration. Creating an SNS topic can be useful for sending notifications, but it does not ensure that objects in the S3 bucket remain private.