Which solution will meet these requirements?
Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses an AWS Lambda function to remediate any change that makes the objects public.
Use AWS Trusted Advisor to find publicly accessible S3 buckets. Configure email notifications in Trusted Advisor when a change is detected. Manually change the S3 bucket policy if it allows public access.
Use AWS Resource Access Manager to find publicly accessible S3 buckets. Use Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function when a change is detected. Deploy a Lambda function that programmatically remediates the change.
Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.
Explanations:
While Amazon GuardDuty can monitor S3 bucket policies, it does not automatically prevent public access. The solution requires an automatic remediation mechanism, but relying solely on GuardDuty is not sufficient to ensure that all S3 objects remain private.
AWS Trusted Advisor can identify publicly accessible S3 buckets, but it requires manual intervention to change the bucket policy. This does not provide a proactive solution to prevent accidental public exposure of S3 objects.
AWS Resource Access Manager is not designed for monitoring S3 bucket policies or accessibility. Although it could involve Lambda and SNS for notifications and remediation, it does not directly address the need to ensure S3 objects remain private.
The S3 Block Public Access feature at the account level effectively prevents all public access to S3 buckets. Coupled with a service control policy (SCP) to restrict changes to this setting, it ensures comprehensive protection against accidental exposure.
As I see it, the answer is:
Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that prevents IAM users from changing the setting. Apply the SCP to the account.