“Which combination of steps should the security engineer take to remediate this issue?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A security engineer is configuring AWS Config for an AWS account that uses a new 1AM entity.When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur.In the AWS CloudTrail logs, the security engineer sees the following error message: “Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.

“Which combination of steps should the security engineer take to remediate this issue?

(Choose two.)

Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

Explanations:

The error indicates that AWS Config is unable to write to the S3 bucket, which suggests an issue with the bucket policy. The policy must allow theconfig.amazonaws.comservice to write to the target bucket.

The IAM entity must have the necessary permissions (s3:GetBucketAclands3:PutObject*) to interact with the S3 bucket. This permission is required to allow AWS Config to store data in the bucket.

The S3 bucket policy does not need to grants3:GetBucketAclands3:PutObject*permissions to AWS Config. Those permissions should be granted to the IAM entity instead.

The IAM entity must have the necessary permissions to interact with the S3 bucket, but theconfig.amazonaws.comservice role is the one that needs specific permissions to write to the bucket.

This option is unrelated to the specific issue described. The permissions regardingBatchGetResourceConfigandGetResourceConfigHistoryactions don’t address the issue with writing to the S3 bucket.

2026-03-22

2 Comments

  1. Sharon
    Author

    I map out that the answer is:
    Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

  2. Timothy
    Author

    It appears that the answer is:
    Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

Leave a Reply to Timothy Cancel reply

Your email address will not be published. Required fields are marked *

two × five =