🔥 3-day streak
AWS Certified Security - Specialty21 / 157
Question 21 of 157

A financial services company uses AWS Control Tower to manage a multi-account environment. The security team must ensure that every newly vaccounted through Account Factory automatically has a standardized security baseline applied, including a mandatory detective control that flags any S3 bucket configured with public read access. This control must be reported centrally without preventing the provisioning of the account. The team wants to use Control Tower's native capability rather than building custom automation. Which approach meets these requirements?

Reviewed for accuracy · Report an issueNext question