SCS-C03 · Question #67
SCS-C03 Question #67: Real Exam Question with Answer & Explanation
The correct answer is A: Verify the S3 bucket policy allows config.amazonaws.com.. AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security - Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal
Question
AWS Config cannot deliver configuration snapshots to Amazon S3. Which TWO actions will remediate this issue?
Options
- AVerify the S3 bucket policy allows config.amazonaws.com.
- BVerify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.
- CVerify the S3 bucket can assume the IAM role.
- DVerify IAM policy allows AWS Config to write logs.
- EModify AWS Config API permissions.
Explanation
AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security - Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data. Other options reference incorrect principals or irrelevant permissions.
Community Discussion
No community discussion yet for this question.