Home › AWS Security › cloudcomputing › scsdatagov › Which AWS feature lets a security engineer enfor…
Which AWS feature lets a security engineer enforce 'no S3 bucket can be made public' across the entire AWS Organization, even by future buckets?
APer-bucket ACL reviews quarterly
BAmazon Route 53
CAmazon EBS
DS3 Block Public Access at the AWS account + Organization level (combined with SCPs preventing PutPublicAccessBlock disable)
Answer & Solution
Correct answer: D. S3 Block Public Access at the AWS account + Organization level (combined with SCPs preventing PutPublicAccessBlock disable)
S3 Block Public Access at account/org level + SCPs is the preventive control (per SCS-C02 §5.2, §6.1). The other options are reactive or unrelated.
Related questions
Which AWS service helps a security engineer collect evidence for compliance audits — assesWhich AWS service provides a turnkey multi-account landing-zone with guardrails, account fWhich AWS Organization feature lets a security engineer enforce 'deny all use of root userWhich AWS service centrally manages multiple AWS accounts with consolidated billing, SCPs,Which AWS service automatically discovers and classifies sensitive data (PII, financial daWhich Amazon S3 feature enforces WORM (write-once-read-many) data retention to protect logWhich AWS service lightweight-stores parameters + SecureString secrets, integrated with KMWhich AWS service centrally stores application secrets (DB passwords, API keys, OAuth toke