“Which combination of steps should the security engineer take to remediate this issue?
(Choose two.)
Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.
Explanations:
The error indicates that AWS Config is unable to write to the S3 bucket, which suggests an issue with the bucket policy. The policy must allow theconfig.amazonaws.comservice to write to the target bucket.
The IAM entity must have the necessary permissions (s3:GetBucketAclands3:PutObject*) to interact with the S3 bucket. This permission is required to allow AWS Config to store data in the bucket.
The S3 bucket policy does not need to grants3:GetBucketAclands3:PutObject*permissions to AWS Config. Those permissions should be granted to the IAM entity instead.
The IAM entity must have the necessary permissions to interact with the S3 bucket, but theconfig.amazonaws.comservice role is the one that needs specific permissions to write to the bucket.
This option is unrelated to the specific issue described. The permissions regardingBatchGetResourceConfigandGetResourceConfigHistoryactions don’t address the issue with writing to the S3 bucket.
I map out that the answer is:
Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.