Which solution will meet these requirements?
Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses an AWS Lambda function to remediate any change that makes the objects public.
Use AWS Trusted Advisor to find publicly accessible S3 buckets. Configure email notifications in Trusted Advisor when a change is detected. Manually change the S3 bucket policy if it allows public access.
Use AWS Resource Access Manager to find publicly accessible S3 buckets. Use Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function when a change is detected. Deploy a Lambda function that programmatically remediates the change.
Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.
Explanations:
Amazon GuardDuty primarily focuses on threat detection rather than proactive policy management. It can alert on potential security issues but cannot automatically remediate S3 bucket policies without additional configurations. Therefore, relying solely on GuardDuty may not ensure that S3 objects remain private.
AWS Trusted Advisor can identify publicly accessible S3 buckets, but it requires manual intervention to change bucket policies. This approach does not provide a proactive solution to ensure all S3 objects remain private and relies on human oversight, which can lead to potential exposure risks.
AWS Resource Access Manager does not monitor S3 bucket access directly. Although Amazon SNS and AWS Lambda could be configured to respond to changes, this option still lacks the preventive measures needed to ensure all S3 objects remain private.
The S3 Block Public Access feature at the account level is designed specifically to prevent public access to S3 buckets. Coupled with a service control policy (SCP) in AWS Organizations, it can enforce the setting across the account, preventing IAM users from altering it, thus ensuring that all S3 objects remain private.
I measure that the answer is:
Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.