AWS Config cannot deliver configuration snapshots to Amazon S3.
Which TWO actions will remediate this issue?
AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security -- Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.
If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.
Other options reference incorrect principals or irrelevant permissions.
Referenced AWS Specialty Documents:
AWS Certified Security -- Specialty Official Study Guide
AWS Config Prerequisites
Currently there are no comments in this discussion, be the first to comment!