AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A company operates separate development and production AWS accounts that are enrolled in AWS Organizations. Security policy states that all new and existing Amazon EBS volumes must be encrypted. The CloudOps team also must email a consolidated CSV report each month that lists every EBS volume that was found non-compliant during that period. Which approach will satisfy both requirements with the least operational overhead?
Enable EBS encryption by default in each account with an AWS Config remediation runbook. Rely on this setting to bring all existing volumes into compliance and use configuration snapshots to an S3 bucket as the monthly report.
Turn on the Security Hub "EC2.5 EBS encryption" control and configure a Lambda function to act on new findings by encrypting affected volumes; schedule a weekly Security Hub CSV export through QuickSight and email the results.
Enable the AWS Config managed rule "ebs-encrypted-volume" in every account. Create an EventBridge rule that targets an SSM Automation runbook to snapshot, encrypt, and replace any NON_COMPLIANT volume. Deploy the same rule in an AWS Config conformance pack, aggregate results in the security account, export the monthly compliance report to an S3 bucket, and notify the security mailbox with Amazon SNS.
Use Amazon GuardDuty to detect unencrypted EBS volumes, trigger an AWS Step Functions workflow to encrypt them, and query GuardDuty findings with Athena each month to produce the required CSV report.
AWS Config includes the managed rule "ebs-encrypted-volume" that evaluates whether each EBS volume is encrypted. When the rule enters the NON_COMPLIANT state, an Amazon EventBridge rule can invoke an AWS Systems Manager Automation runbook that snapshots the volume, creates an encrypted copy, and swaps the volume attachment-thereby remediating existing resources without manual work.
AWS Config conformance packs automatically aggregate rule results across multiple accounts and regions. A conformance pack's built-in compliance report can be exported on a schedule to an S3 bucket that all accounts write to. Amazon SNS can publish a notification (with the report link or file) to the security team's mailbox each month.
The other options either rely on services that cannot detect unencrypted EBS volumes (GuardDuty), lack an automatic remediation for existing volumes (turning on EBS encryption by default only affects future volumes), or require custom Lambda/QuickSight solutions that add unnecessary operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Config and how does it help ensure compliance?
Open an interactive chat with Bash
What are AWS Config conformance packs and why are they useful?
Open an interactive chat with Bash
What happens when an EBS volume is non-compliant with the 'ebs-encrypted-volume' rule?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .