AWS Certified CloudOps Engineer - Associate · Domain 4 · 16% of exam

Security and Compliance

Drill 20 practice questions focused entirely on Security and Compliance for the AWS SOA-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A CloudOps engineer manages several Application Load Balancers that use TLS certificates issued by AWS Certificate Manager (ACM). Some certificates were imported into ACM from a third-party certificate authority, while others were requested directly from ACM. The security team wants proactive alerts at least 30 days before any certificate expires so they can renew in time. Which approach requires the LEAST ongoing operational effort to ensure the team is notified before expiration?

Reviewed for accuracy · Report an issue
Question 2 of 20

A CloudOps engineer is deploying a global web application that uses Amazon CloudFront as the CDN with a custom domain name. The engineer requests an ACM certificate in the eu-west-1 Region (where the origin ALB resides) and attempts to associate it with the CloudFront distribution, but the certificate does not appear as a selectable option in the CloudFront console. What is the correct action to resolve this?

Reviewed for accuracy · Report an issue
Question 3 of 20

A company runs internal microservices on EC2 instances within a private VPC. Security policy requires all service-to-service communication to use TLS with certificates issued from a trusted internal certificate authority. The certificates must not be publicly trusted, and the company wants to automate issuance and renewal without managing its own CA infrastructure on servers. Which solution meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company must be able to prove during audits that its AWS API activity logs have not been altered or deleted after being written. The security team already has a CloudTrail trail delivering logs to an S3 bucket, but auditors require cryptographic proof that no log files were tampered with between delivery and review. Which action provides this assurance with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 5 of 20

A company uses AWS Organizations with 40 member accounts. The security team needs to capture all management event API activity across every existing and future account, delivering logs to a single S3 bucket in a dedicated logging account. Member account administrators must not be able to modify or delete the trail configuration in their own accounts. Which approach meets these requirements with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 6 of 20

A CloudOps engineer manages compliance for an organization with 40 AWS accounts across 3 regions using AWS Organizations. The security team wants a single, centralized dashboard showing the compliance status of AWS Config rules across all member accounts and regions without logging into each account individually. AWS Config is already enabled in every account and region. What is the MOST operationally efficient way to provide this centralized view?

Reviewed for accuracy · Report an issue
Question 7 of 20

A CloudOps engineer must ensure that all RDS database instances across a single account have deletion protection enabled. The security team wants a fully managed, low-maintenance solution that continuously evaluates existing and newly created RDS instances and records compliance status, without the engineer writing or maintaining any evaluation logic. Which approach meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 8 of 20

A CloudOps engineer must provide auditors with evidence that all API activity in an AWS account is being recorded, that resource configurations are continuously evaluated against a security baseline, and that a prioritized, aggregated view of findings across multiple compliance standards (such as CIS and PCI DSS) is available. Which combination of services, used for its intended purpose, satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 20

A CloudOps engineer must continuously evaluate whether all EBS volumes, RDS instances, and S3 buckets across every account in an AWS Organization are encrypted at rest. Leadership wants a single, standardized set of encryption compliance rules deployed centrally and applied to all member accounts, with results aggregated for auditors. Which approach best meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 10 of 20

A CloudOps engineer manages a fleet of EC2 instances that must always have IMDSv2 enforced. Occasionally, developers launch instances with IMDSv1 enabled through the console. The team wants AWS Config to not only detect noncompliant instances but also automatically remediate them by requiring the token-based metadata endpoint, without manual intervention. Which approach satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 11 of 20

A CloudOps engineer must continuously detect any EBS volumes in a production account that are created without encryption, so the compliance team receives an alert and a historical record of when each violation occurred. The solution must require minimal custom code and provide a queryable timeline of resource compliance state changes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 12 of 20

A CloudOps engineer manages AWS Config across an organization. A security requirement mandates that data at rest in Amazon RDS must be encrypted using a customer managed KMS key rather than the default AWS managed key. The team already has an AWS Config rule detecting unencrypted RDS instances, but they now need automatic email alerts to the security team whenever any resource is evaluated as NON_COMPLIANT, without writing custom evaluation logic. Which approach meets this requirement with the least operational effort?

Reviewed for accuracy · Report an issue
Question 13 of 20

A CloudOps engineer must prove to auditors that all RDS DB instances across the company's production account have encryption at rest enabled, and must be alerted whenever a non-compliant instance is created. The solution should require minimal ongoing operational effort and provide a historical record of compliance status over time. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 14 of 20

A CloudOps engineer must ensure that all newly created RDS instances in a production account automatically have their public accessibility setting disabled if a developer accidentally enables it. The remediation must run without human intervention and must be triggered by the configuration change. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 15 of 20

A CloudOps engineer at a financial services company must continuously identify any S3 buckets, IAM roles, KMS keys, and SQS queues in a production account whose resource-based policies grant access to external principals outside the organization. The security team wants findings generated automatically whenever a policy is created or modified, with the ability to confirm known cross-account sharing as intended. Which solution meets these requirements with the least operational effort?

Reviewed for accuracy · Report an issue
Question 16 of 20

A CloudOps engineer is tasked with tightening IAM permissions across a single AWS account. The security team wants to identify IAM roles and users that have permissions they have not used in the last 90 days, so those excess permissions can be removed to enforce least privilege. The engineer wants a native, low-maintenance AWS solution that automatically surfaces these findings without writing custom scripts to parse logs. Which approach should the engineer implement?

Reviewed for accuracy · Report an issue
Question 17 of 20

A CloudOps engineer works for a SaaS monitoring vendor that must access its customers' AWS accounts to read CloudWatch metrics. Each customer creates an IAM role that trusts the vendor's AWS account and grants read-only CloudWatch access. During a security review, the engineer is warned that a malicious third party who learns a customer's role ARN could potentially trick the vendor's service into assuming that role on the attacker's behalf. Which approach should the vendor require its customers to implement to prevent this cross-account access risk?

Reviewed for accuracy · Report an issue
Question 18 of 20

A CloudOps engineer manages an AWS account where 40 developers each have IAM users. Currently, permissions are assigned by attaching inline policies directly to each user, and updating a single permission requires editing every user individually. The team wants a scalable approach that reduces administrative overhead and ensures consistent permissions across all developers, while still allowing a subset of developers to receive additional temporary permissions when working on a special project. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company allows developers in each project team to create IAM roles for their own applications so they can move quickly. Security is concerned that a developer could create a role with full administrative access and attach it to an application. The security team wants developers to retain the ability to create roles and attach policies, but wants to guarantee that any role they create can never obtain permissions beyond a defined set (such as S3, DynamoDB, and CloudWatch access). What is the MOST appropriate way to enforce this constraint?

Reviewed for accuracy · Report an issue
Question 20 of 20

A CloudOps engineer is troubleshooting access for a developer who cannot upload objects to an S3 bucket. The developer is a member of an IAM group that has an attached policy allowing s3:PutObject on the bucket. The bucket policy also allows the developer's IAM user to perform s3:PutObject. However, a permissions boundary attached to the IAM user allows only s3:GetObject and s3:ListBucket. What is the reason the upload is failing?

Reviewed for accuracy · Report an issue

More SOA-C03 practice

Keep going with the other AWS Certified CloudOps Engineer - Associate domains, or take a full timed mock exam.

← Back to SOA-C03 overview