A DevOps engineer is working on a member account in an organization in AWS Organizations...

Option B is the only choice that directly satisfies both requirements:

Continuously evaluate the account-level S3 Block Public Access setting

AWS Config is designed to record configuration state and evaluate resources/settings against rules over time.

A Config rule (managed rule) can check whether the account-level “S3 Block Public Access” settings are configured as required (i.e., blocking public access).

Automatically revert drift (auto-remediate) if someone changes the setting later

AWS Config Remediation can automatically trigger an AWS Systems Manager Automation runbook when the rule becomes NON_COMPLIANT .

Using an SSM Automation document/runbook that sets S3 account-level Block Public Access back to the required “blocked” configuration ensures that any future change is corrected automatically , restoring compliance without manual intervention.

Why the other options don’t fully meet the requirement:

A (Security Hub) : Security Hub primarily aggregates findings and checks controls. While it can integrate with automation, AWS Config is the standard service for configuration drift detection + automatic remediation loops for account-level posture settings. Security Hub is not the most direct “detect config drift and auto-fix” mechanism for an account setting in the way Config remediation is.

C (SCP) : An SCP can restrict API actions, but it doesn’t “revert” a changed S3 Block Public Access configuration ; it only prevents/limits what actions can be called. Also, “deny S3 actions from outside the account” is not the same as enforcing Block Public Access settings at the account level.

D (Macie + EventBridge) : Macie focuses on data discovery and sensitive data findings , not enforcing or continuously remediating S3 account-level Block Public Access configuration drift. Triggering remediation off Macie findings is indirect and not aligned to “setting changed → immediately revert.”