DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DOP-C02 Exam - Question 30

A company has multiple accounts in an organization in AWS Organizations. The company's SecOps team needs to receive an Amazon Simple Notification Service (Amazon SNS) notification if any account in the organization turns off the Block Public Access feature on an Amazon S3 bucket. A DevOps engineer must implement this change without affecting the operation of any AWS accounts. The implementation must ensure that individual member accounts in the organization cannot turn off the notification.

Which solution will meet these requirements?

Show Answer
Correct Answer: C

To meet the requirements of receiving notifications if the Block Public Access feature is turned off on any S3 bucket within any account in the organization, it is essential to utilize tools that can enforce and monitor configurations across all accounts. AWS Config is designed to monitor and manage the configurations of AWS resources. By turning on AWS Config across the organization, all accounts can be monitored for compliance with specific rules. Using a conformance pack with the s3-bucket-level-public-access-prohibited AWS Config managed rule will ensure that any changes to the Block Public Access setting are detected. Furthermore, leveraging AWS Systems Manager to publish an event to an SNS topic ensures that the SecOps team is notified without allowing individual member accounts to alter the notification mechanism. This solution ensures centralized control and consistency across the organization.

Discussion

17 comments
Sign in to comment
rlf
Oct 28, 2023

Answer is C. * AWS AWS Systems Manager Automation provides predefined runbooks(ex. AWS-PublishSNSNotification ) for Amazon Simple Notification Service - https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-publishsnsnotification.html * Running automations in multiple AWS Regions and accounts (https://docs.aws.amazon.com/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.html ) B seems to be old approach. With cloudformation stackset, each account can still change resource config (ex. SNS) that causes drift.... so I choose C because it utilize AWS organization fully with aws systems manager automation in multiple regions and multiple accounts with delegated administrator account( or management account )

Cervus18Option: A
Mar 13, 2024

We can leverage AWS Organizations to enable Guarduty in all accounts. There is an S3 finding called Policy:S3/AccountBlockPublicAccessDisabled Then we setup a single EventBrdige rule in the delegated account that publish the event to the SNS topic in the same account. This is the easisest solution to be implemented and monitoring the public access seamlessly across all Organization's accounts This is a common multi-account strategy for GuardDuty with AWS organizations, to collect such finding from hundred of accounts

csG13Option: C
Dec 27, 2023

It’s not B because other users can turn it off. With AWS config in organisations only the admin in the root can do it.

4555894Option: C
Mar 8, 2024

Amazon GuardDuty is primarily on threat detection and response, not configuration monitoring. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations. https://docs.aws.amazon.com/config/latest/developerguide/conformance- packs.htmlhttps://docs.aws.

that1guy
Apr 21, 2024

Technically A would be sufficient here. The question is only asking to be NOTIFIED when block public access gets disabled. See the following GuardDuty finding: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketblockpublicaccessdisabled Managing multiple GuardDuty accounts is simplified using the AWS Organizations delegated administrator feature. With this feature, the AWS Organizations management account can designate a member account to be the GuardDuty administrator for the entire organization. The delegated GuardDuty administrator is then granted permission to enable and manage GuardDuty for all existing and future accounts in the organization.

zolthar_zOption: C
Dec 21, 2023

Answer is C: With B you can deploy fix the problem, but it is installed in every account, so a user with admin rights in that account can delete/modify the configuration

Jay_2pt0_1Option: C
Dec 31, 2023

This is the type of thing that AWS Config is used for.

hotblooded
Jan 27, 2024

Option B is also not a valid case because we can direct use config with eventbrige why to go for clod trail we can use aws config rule s3-bucket-public-read-prohibited if rule changes eventbridge will trigger sns

zijo
Mar 5, 2024

Answer is C A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations. You can also use AWS Systems Manager documents (SSM documents) to store your conformance pack templates on AWS and directly deploy conformance packs using SSM document names.

xdkonorek2Option: A
Jun 29, 2024

A DevOps engineer must implement this change without affecting the operation of any AWS accounts.

hotblooded
Jan 27, 2024

I got confused with option B and C , but Lets think in C option when I will use system manager to trigger SNS I can simply use eventbridge run that checks for config rule compliance change , IF compliance changes then as a target we will specify SNS. Yes , We can also specify system manager automation document to trigger sns but why I will use it I will directly use SNS. So from above I still by looking words B is correct option. Main reason is you do not need system manager here to trigger SNS.

hotblooded
Jan 27, 2024

I got confused with option B and C , but Lets think in C option when I will use system manager to trigger SNS I can simply use eventbridge run that checks for config rule compliance change , IF compliance changes then as a target we will specify SNS. Yes , We can also specify system manager automation document to trigger sns but why I will use it I will directly use SNS. So from above I still by looking words B is correct option. Main reason is you do not need system manager here to trigger SNS. Plus there is no mention for eventbridge rule that will trigger system manager , from config we cannot directly trigger it.

thanhnv142
Jan 29, 2024

C is correct: AWS config can only be modify by admin, not member accounts

thanhnv142
Feb 1, 2024

Let me clarify: B cannot be correct because of this reason: "Deploy the stack to every account in the organization by using CloudFormation StackSets" means in every accounts of this AWS org (canbe up to hundreds of account), we will deploy a SNS topic and an EventBridge rule. This would be an extremely expensive deployment

Rocky007
Feb 22, 2024

Hi can somebody with contributors access, would please forward all the questions pdf to me on telegram @rater250 , I'm willing to pay

seetptOption: C
May 1, 2024

C is only correct option.

Gomer
May 30, 2024

I was sure the answer was "C" until I started reading through some of the requirements and comments. The words "implementation must ensure that individual member accounts in the organization cannot turn off the notification" incline me to lean towards "A", because with "C", someone with admin privileges on a single account could turn off the notification in that account. As pointed out by others, there are a number of GuardDuty findings associates with S3 public access. Having GuardDuty and EventBridge pattern trigger SNS for some key words such as "s3" and "Public" seems to make sense in enforcing this across an organization. I don't have enough experience with GuardDuty in an Organization to be 100% confident, but the emphasis on SNS requirement makes me think this could be a trick question.

aefuen1Option: A
Jul 1, 2024

It's A. GuardDuty echieves this with no effort.