Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security – Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.

Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls

AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security – Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.

If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.

Other options reference incorrect principals or irrelevant permissions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Prerequisites

The most efficient approach is to useAWS Configbecause Config is designed for continuous compliance evaluation and can automatically triggermanaged remediationwhen a resource drifts from the desired state. A managed Config rule that detects when CloudTrail is not logging, combined with theAWS-EnableCloudTrailremediation action, provides an automated way to re-enable CloudTrail without building and maintaining custom event processing code. This is especially valuable in multi-Region environments because Config can evaluate configurations across Regions and enforce the intended posture consistently.

Option B is illogical: triggering on StartLogging does not help when CloudTrail is turned off. Option C is not as operationally efficient because CloudWatch alarms are not the standard mechanism for reacting to CloudTrail API events; EventBridge is the proper event bus for API call events, but you would still be writing and maintaining Lambda logic and multi-Region plumbing. Option D is manual and delayed, not automated remediation.

Therefore, AWS Config with a managed rule and the AWS-provided remediation to enable CloudTrail is the most maintainable and efficient solution.

To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance. Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls. Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies. Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for S3 Compliance

Amazon S3 Security Best Practices for SSL-only Access

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near–real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near–real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

AWS abuse notifications are delivered as AWS Health events. According to the AWS Certified Security – Specialty Study Guide, Amazon EventBridge integrates natively with AWS Health and can be used to detect specific event types such as AWS_ABUSE_DOS_REPORT in near real time.

By creating an EventBridge rule that filters for the abuse report event type and publishes directly to Amazon SNS, the solution remains fully managed, low latency, and cost effective.

Polling APIs introduces delay and complexity. CloudTrail does not log abuse notifications. EventBridge with AWS Health is the recommended mechanism for reacting to AWS service events.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Health and EventBridge Integration

AWS Abuse Notification Handling

In IAM Identity Center, users see accounts and permission sets in the AWS access portal based onassignments. Here, the new permission set was assigned to theDevOps groupfor a specific member account. Sinceall developers except onecan see the permission set, the permission set itself and the account assignment are working correctly. The most likely cause is that the remaining developer isnot actually a memberof the DevOps group in the identity source (AWS Directory Service / Active Directory), or their group membership is not reflected due to missing/incorrect directory group assignment.

The least disruptive fix is to ensure the developer’s identity is correctly included in theDevOpsgroup within the directory. Once the user is a member of the assigned group (and after normal identity sync/refresh behavior), IAM Identity Center will evaluate the user as entitled to that permission set, and it will appear in the access portal.

Option B is unnecessary because the assignment is already effective for others. Option C is unrelated; service-linked roles for Organizations do not determine portal entitlements. Option D would not explain why only one user cannot see the permission set; if console access were misconfigured, it would affect all users assigned that permission set.

AWS KMS supports additional authenticated data (AAD) through the use of encryption context. According to the AWS Certified Security – Specialty documentation, encryption context is a set of key-value pairs that is cryptographically bound to the ciphertext. Any attempt to decrypt the data must include the same encryption context, or decryption will fail. This mechanism protects against ciphertext tampering and unauthorized reuse.

The kms:EncryptionContext condition key allows security engineers to enforce the use of specific encryption context values in IAM or key policies. By defining conditions that require particular encryption context attributes, access to encrypted data can be tightly controlled and bound to specific applications, environments, or workflows.

Option A does not provide integrity protection. Option B controls access but does not enforce the use of AAD. Option D restricts administrative access but does not address encryption context enforcement.

AWS documentation explicitly states that encryption context combined with policy conditions is the recommended method to implement authenticated encryption and fine-grained access control with KMS.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Encryption Context

AWS KMS Policy Condition Keys

AWS CloudTrail organization trails are specifically designed to providecentralized, organization-wide loggingwith minimal operational effort. According to the AWS Certified Security – Specialty Official Study Guide, an organization trail recordsall management events for all member accountsand delivers them to asingle Amazon S3 bucket.

To ensure that logscannot be altered or deleted, Amazon S3Object Lock in compliance modemust be used. Compliance mode enforceswrite-once-read-many (WORM)protection, meaningno user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years.

The S3 bucket must reside in thededicated security accountto provide isolation and strong security boundaries. Granting write permissions to theorganization’s management account(Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.

Option B increases attack surface by allowing all member accounts to write directly. Option C does not meet immutability requirements because lifecycle policies do not prevent deletion. Option E introduces unnecessary services and operational complexity.

AWS documentation explicitly identifies the combination ofCloudTrail organization trails + S3 Object Lock (compliance mode)as therecommended, lowest-overhead solutionfor long-term, immutable audit log retention.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Organization Trail Documentation

Amazon S3 Object Lock Documentation

AWS Well-Architected Framework – Security Pillar