An image-hosting company stores objects in Amazon S3 buckets and wants to prevent accidental public exposure. All S3 objects in the account must remain private. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use the S3 Block Public Access feature at the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing that setting. Apply the SCP to the account..
Why this is the answer
The S3 Block Public Access feature at the account level is the most effective and straightforward solution to prevent accidental public exposure of S3 objects. It provides a comprehensive set of controls to block public access to all S3 buckets and objects within an AWS account, regardless of how the objects are uploaded or how bucket policies are configured. By applying this at the account level, it ensures all current and future S3 resources are protected. Using AWS Organizations with a Service Control Policy (SCP) to prevent IAM users from disabling this feature adds an essential layer of governance, ensuring that the critical security setting cannot be inadvertently or maliciously altered. GuardDuty monitors for threats but doesn't directly prevent policy changes. Trusted Advisor identifies issues but requires manual remediation, which is prone to human error and delays. AWS Resource Access Manager (RAM) is for sharing resources, not for finding publicly accessible S3 buckets or for remediation.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed