In a cloud environment, the security team discovers that a misconfigured S3 bucket has made customer data publicly accessible. After securing the bucket, what is the most important next step?
Breach notification is legally required in many jurisdictions and prioritizes customer protection.
Why this answer
Option C is correct because after securing a misconfigured S3 bucket that exposed customer data, the most important next step is to notify affected customers. This aligns with incident response best practices and regulatory requirements (e.g., GDPR, HIPAA) that mandate timely disclosure of data breaches to impacted individuals. Without notification, the organization may face legal penalties and loss of trust, even if the data is now secure.
Exam trap
ISC2 often tests the misconception that technical remediation (e.g., changing policies or deleting data) is the most important step, when in fact incident response frameworks prioritize communication and legal/regulatory obligations over purely technical actions.
How to eliminate wrong answers
Option A is wrong because deleting the data would destroy evidence needed for forensic analysis and could violate data retention policies; the data should be preserved for investigation. Option B is wrong because while reviewing logs is important, it is not the most critical next step—notification takes precedence to comply with breach notification laws and ethical obligations. Option D is wrong because changing the bucket policy is already part of securing the bucket, which was completed before this step; the question states the bucket has already been secured, so repeating this action is unnecessary and does not address the exposure.