Answer: A and B
Option A is CORRECT because AWS Config helps keep track of changes to the S3 bucket. Any changes made, can produce an alert using the AWS CloudWatch event or SNS topic.
Option B is CORRECT because if the bucket objects are found to allow public access, the Lambda function overwrites it to be private.
Option C is incorrect because AWS Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps, but it cannot be used to detect changes on the S3 bucket and revert it back to the desired state.
Option D is incorrect because the SNS notifications do not automatically fix the incorrect S3 configurations. In this scenario, a Lambda function is required to modify the S3 bucket policy.
For more information on the implementation of this use case, kindly refer to the following URLs:
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/