A company's compliance team needs to enforce a policy that all Amazon S3 buckets must have 'Block all public access' enabled. If a bucket is created without this setting, the company wants the policy to be automatically remediated within minutes without manual intervention. The solution must check for compliance continuously and apply the fix automatically. Which AWS service should the company use to meet these requirements?
AWS Config can evaluate resource configurations against rules (e.g., 's3-bucket-public-read-prohibited') and automatically trigger a remediation action, such as an SSM Automation document, to fix non-compliant resources like S3 buckets without manual intervention. This matches the requirement.
Why this answer
AWS Config can continuously evaluate the configuration of S3 buckets against a managed rule like 's3-bucket-public-read-prohibited' or 's3-bucket-public-write-prohibited'. When a noncompliant bucket is detected, AWS Config can automatically trigger a remediation action using an AWS Systems Manager Automation document (e.g., 'AWS-DisableS3BucketPublicReadWrite') to enable 'Block all public access' within minutes, without manual intervention.
Exam trap
The trap here is that candidates often confuse AWS Config's compliance and remediation capabilities with CloudTrail's logging or GuardDuty's threat detection, failing to recognize that only AWS Config provides continuous evaluation with automatic remediation actions.
How to eliminate wrong answers
Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior using anomaly detection and threat intelligence; it does not evaluate resource compliance against internal policies or perform automated remediation. Option C is wrong because AWS CloudTrail records API activity for auditing and governance, but it cannot continuously check compliance or automatically remediate misconfigurations; it only provides logs for post-event analysis. Option D is wrong because AWS Identity and Access Management (IAM) manages user permissions and access control, but it does not monitor or enforce S3 bucket-level configuration settings like public access blocks.