DOP-C02 Domain 5: Incident and Event Response

AWS Organizations spans many accounts and Regions. The company needs automated detection and blocking when any S3 bucket (existing or new) becomes public via ACLs or bucket policies. Which solution meets this?

Multiple choice — select one answer

Answer choices

  1. a. AWS Config rule in each account (or organization) for public ACLs/policies with automated remediation via a Systems Manager Automation runbook.
  2. b. Create an EventBridge rule on aws.ecs for STOPPED tasks with that stoppedReason; target the SNS topic.
  3. c. Organization CloudTrail to a security-account bucket; EventBridge rules on that bus for all accounts. (not recommended for production workloads)
  4. d. AWS Config rule detecting noncompliant instances with remediation that terminates them.

Architectural breakdown & explanation

Managed Config rules such as s3-bucket-level-public-access-prohibited detect public access; runbooks like AWS-DisableS3BucketPublicReadWrite remediate automatically.

Correct answer(s): a. AWS Config rule in each account (or organization) for public ACLs/policies with automated remediation via a Systems Manager Automation runbook.

Exam domain: Domain 5: Incident and Event Response (14% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the AWS Certified DevOps Engineer – Professional bank. Run a full timed practice exam with domain-weighted random questions in your browser.