A company wants to ensure that all Amazon S3 buckets have versioning enabled to protect against accidental deletion of objects. A SysOps administrator needs to automatically detect any buckets that do not have versioning enabled and receive notifications. Which AWS service should the administrator use?
Correct. AWS Config evaluates resource configurations against desired policies using managed or custom rules. The 's3-bucket-versioning-enabled' managed rule will flag buckets that do not have versioning enabled.
Why this answer
AWS Config is the correct service because it provides managed rules, such as 's3-bucket-versioning-enabled', that continuously evaluate your S3 buckets against desired configuration states. When a bucket is non-compliant (versioning disabled), AWS Config can trigger an Amazon SNS notification to alert the administrator, enabling automated detection and remediation.
Exam trap
The trap here is that candidates confuse AWS Config (continuous configuration auditing) with AWS CloudTrail (API activity logging), thinking that CloudTrail can detect non-compliant states when it only records actions that change the state.
How to eliminate wrong answers
Option A (AWS CloudTrail) is wrong because it records API activity (e.g., PutBucketVersioning calls) but does not continuously evaluate the current configuration state of resources; it cannot proactively detect buckets with versioning disabled unless an API call is made. Option C (Amazon Inspector) is wrong because it is designed for vulnerability assessment of EC2 instances and container workloads, not for auditing S3 bucket configurations. Option D (AWS Trusted Advisor) is wrong because while it can check S3 bucket versioning as part of its cost optimization and security checks, it does not provide automated, real-time notifications for configuration drift; it is a manual, periodic review tool.