Which solution will meet these requirements?
Create an S3 event notification on all S3 buckets for the isPublic event. Select the SNS topic as the target for the event notifications.
Create an analyzer in AWS Identity and Access Management Access Analyzer. Create an Amazon EventBridge rule for the event type “Access Analyzer Finding” with a filter for “isPublic: true.” Select the SNS topic as the EventBridge rule target.
Create an Amazon EventBridge rule for the event type “Bucket-Level API Call via CloudTrail” with a filter for “PutBucketPolicy.” Select the SNS topic as the EventBridge rule target.
Activate AWS Config and add the cloudtrail-s3-dataevents-enabled rule. Create an Amazon EventBridge rule for the event type “Config Rules Re-evaluation Status” with a filter for “NON_COMPLIANT.” Select the SNS topic as the EventBridge rule target.
Explanations:
S3 event notifications are used for specific events like object uploads or deletions, not for changes in bucket visibility (public access). The “isPublic” event type is not a valid event type for S3 event notifications.
AWS IAM Access Analyzer provides findings for public access to resources. Using EventBridge with a filter for “isPublic: true” on an Access Analyzer finding would notify when an S3 bucket becomes publicly exposed, which meets the requirement.
“PutBucketPolicy” only tracks changes to the bucket policy, but not specifically when a bucket becomes publicly exposed. This won’t cover other ways a bucket could become public (e.g., ACL changes).
AWS Config’s rule for “cloudtrail-s3-dataevents-enabled” monitors S3 data event logging, not public exposure. Config rules evaluate resource configurations, but this setup does not address the specific need for public exposure notifications.
I estimate that the answer is:
Create an analyzer in AWS Identity and Access Management Access Analyzer. Create an Amazon EventBridge rule for the event type “Access Analyzer Finding” with a filter for “isPublic: true.” Select the SNS topic as the EventBridge rule target.