Your company has a set of files in an S3 bucket. The CIO wants to be informed when any configuration changes occur on the S3 bucket. Which of the following can be used as a security measure ensuring that you don’t put too many access restrictions on the bucket for existing users?

Answer options:

A.Use a bucket policy and place a DENY statement for the PutObject Action.
B.Use an AWS Config rule to monitor the configuration changes of the S3 bucket and use SNS to send notifications to the security department.
C.Enable versioning for the bucket.
D.Place the following statement in the bucket policy { "Version":"2012-10-17", "Statement":[ { "Sid":"AddPerm", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::examplebucket/*"] } ] }.

Correct Answer: B
The AWS Documentation mentions the following.
AWS Config enables continuous monitoring of your AWS resources, making it simple to assess, audit, and record resource configurations and changes. AWS Config does this by using rules that define the desired configuration state of your AWS resources. AWS Config provides several AWS managed rules that address a wide range of security concerns, such as checking if you encrypted your Amazon Elastic Block Store (Amazon EBS) volumes, tagged your resources appropriately, and enabled multi-factor authentication (MFA) for root accounts.
Option A is incorrect since this will put a restriction on the bucket users.
Option C is incorrect since this option can only prevent from accidental deletion of objects.
Option D is incorrect since this puts a security risk for allowing anonymous access to users.
For more information on using AWS Config with S3, please refer to the below URL-
https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/