How can the presence of a public S3 object be detected, set to trigger alarm notifications, and automatically remediated in the future?
(Choose two.)
Turn on object-level logging for Amazon S3. Turn on Amazon S3 event notifications to notify by using an Amazon SNS topic when a PutObject API call is made with a public-read permission.
Configure an Amazon CloudWatch Events rule that invokes an AWS Lambda function to secure the S3 bucket.
Use the S3 bucket permissions for AWS Trusted Advisor and configure a CloudWatch event to notify by using Amazon SNS.
Turn on object-level logging for Amazon S3. Configure a CloudWatch event to notify by using an SNS topic when a PutObject API call with public-read permission is detected in the AWS CloudTrail logs.
Schedule a recursive Lambda function to regularly change all object permissions inside the S3 bucket.
Explanations:
Object-level logging for S3 logs API calls, but it does not track public access changes directly. The event notification would notify about API calls but not about public-read permission changes.
Configuring CloudWatch Events to invoke a Lambda function can automate remediation actions to secure the S3 bucket by changing permissions or notifying the Compliance team.
Trusted Advisor does not provide real-time alerts for changes in S3 permissions, and CloudWatch event for such alerts is not directly supported.
Enabling object-level logging with CloudTrail and configuring CloudWatch Events will allow detection of public-read permissions on objects via PutObject API calls, enabling alert notifications via SNS.
Regularly changing object permissions is not an ideal solution as it does not proactively detect when public access occurs or trigger alerts. It also introduces unnecessary complexity.