Amazon SCS-C02: Combination steps to fix error Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is 'null'.

Table of Contents

Question
Answer
Explanation
Reference

Question

A security engineer is configuring AWS Config for an AWS account that uses a new 1AM entity. When the security engineer tries to configure AWS Config rules and automatic remediation options, errors occur. In the AWS CloudTrail logs, the security engineer sees the following error message: “Insufficient delivery policy to s3 bucket: DOC-EXAMPLE-BUCKET, unable to write to bucket, provided s3 key prefix is ‘null’.” Which combination of steps should the security engineer take to remediate this issue? (Choose two.)

A. Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
B. Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
C. Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.
D. Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.
E. Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

Answer

Explanation

Based on the error message and the search results, I think the correct answer is A and B.

A. Check the Amazon S3 bucket policy. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

AWS Config needs permissions to write to the S3 bucket, either by using an IAM role or by using a service principal. The error message indicates that AWS Config is trying to use the service principal, which means it needs an access policy on the S3 bucket that grants WRITE access to the config.amazonaws.com service.

B. Verify that the IAM entity has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

AWS Config also needs permissions to perform s3:GetBucketAcl and s3:PutObject* operations on the S3 bucket, either by using an IAM role or by using a service-linked role. The error message indicates that AWS Config is trying to use a new IAM entity, which means it needs an IAM policy that grants these permissions.

The other options are not correct because:

C. Verify that the Amazon S3 bucket policy has the permissions necessary to perform the s3:GetBucketAcl and s3:PutObject* operations to write to the target bucket.

This option is redundant with option A, since both are about granting permissions on the S3 bucket policy.

D. Check the policy that is associated with the IAM entity. Verify that the policy allows the config.amazonaws.com service to write to the target bucket.

This option is not relevant, since AWS Config is not using the IAM entity to write to the target bucket, but rather using the service principal.

E. Verify that the AWS Config service role has permissions to invoke the BatchGetResourceConfig action instead of the GetResourceConfigHistory action and s3:PutObject* operation.

This option is not related to the error message, since it is about a different action and operation that AWS Config may need to perform for other purposes.

Reference

Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.