Crucial Exams

AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company operates dozens of AWS accounts in AWS Organizations. Security requires that any new security group rule that permits 0.0.0.0/0 on TCP port 22 be removed within seconds of creation. The CloudOps engineer must build an agent-less, event-driven solution that can be maintained centrally in a shared services account while minimizing custom code and ongoing operations. Which approach meets these requirements?

  • Enable AWS CloudTrail Lake in every account and schedule a daily SQL query with Amazon EventBridge Scheduler that invokes an AWS Lambda function to remove any discovered non-compliant rules.

  • Launch a small, always-running EC2 instance in each account that polls DescribeSecurityGroups every minute with a script and removes any rule that allows 0.0.0.0/0 on port 22.

  • Configure the AWS Config managed rule for unrestricted SSH in every account and attach an AWS Systems Manager Automation document that revokes the offending rule when the evaluation is non-compliant.

  • Create an Amazon EventBridge rule in each workload account that matches the AWS API call "AuthorizeSecurityGroupIngress" and sends the event to a centrally shared event bus. In the shared services account, invoke an AWS Lambda function that deletes the non-compliant rule.

AWS Certified CloudOps Engineer Associate SOA-C03
Deployment, Provisioning, and Automation
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot