What should a SysOps administrator do to meet this requirement?
Turn on S3 Block Public Access from the account level.
Create an Amazon Event Bridge (Amazon CloudWatch Events) rule to enforce that all S3 objects are private.
Use Amazon Inspector to search for S3 buckets and to automatically reset S3 ACLs if any public S3 buckets are found.
Use S3 Object Lambda to examine S3 ACLs and to change any public S3 ACLs to private.
Explanations:
Turning on S3 Block Public Access at the account level prevents any public access to all S3 buckets in the account, which meets the security policy requirement.
An EventBridge rule can monitor events but cannot directly enforce privacy settings on S3 objects. It is not designed to prevent public access in the way the requirement specifies.
Amazon Inspector is a security assessment service and does not provide direct control over S3 ACLs. It cannot automatically reset S3 ACLs to enforce privacy settings.
S3 Object Lambda is used for modifying object content when retrieved, not for enforcing privacy or controlling S3 ACLs. It cannot change public ACLs to private automatically.
It seems to me that the answer is:
Turn on S3 Block Public Access from the account level.