Q: 13
A company has AWS accounts in an organization in AWS Organizations. An Amazon S3 bucket in one
account is publicly accessible. A security engineer must remove public access and ensure the bucket
cannot be made public again.
Which solution will meet these requirements?
Options
Discussion
C . PublicAccessBlock handles the immediate lock, and denying s3:PutPublicAccessBlock with an SCP prevents anyone from removing it later. D is tempting but Object Lock is about retention, not access. B misses long-term prevention.
Option B looks right to me. If you enable PublicAccessBlock and then deny s3:GetObject at the org level with an SCP, that should stop public reads, and Block Public Access covers other risks. Had something like this in a mock and B was the answer there. Maybe I'm missing something?
C vs B, but C is better protection. PublicAccessBlock needs to stay enforced, so denying s3:PutPublicAccessBlock in the SCP keeps it locked down. B only blocks current access but admins could disable the block later. Pretty sure C is the intent here.
Nah, I think D makes more sense here. Object Lock seems like it would block changes to public access too.
Pretty sure it's C. Had something like this in a mock and blocking public access plus using an SCP to deny changes to the PublicAccessBlock is what locks it down long term. B doesn't stop someone from reversing the block. Agree?
B
C/D? Not sure, feels like C but D has Object Lock. Kinda tricky.
Nah, B is a trap since you could still turn off PublicAccessBlock after. C.
C over B every time here. You need to not only block public access now but prevent anyone from turning it back on, and denying s3:PutPublicAccessBlock with an SCP (like in C) is the way AWS recommends. B is a common trap for missing the long-term prevention part.
Be respectful. No spam.
