AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company stores customer data in hundreds of S3 buckets across multiple AWS accounts. The security team needs an automated data classification scheme that discovers PII and assigns an S3 object tag (Public, Confidential, Restricted) so IAM policies and lifecycle rules can act on the tag. They want the solution with minimal custom code using AWS native services. Which approach meets these requirements?

  • Export daily S3 Inventory reports to Amazon Athena, run Glue-based SQL queries to locate PII, and execute an AWS Batch job that updates object tags with the AWS CLI.

  • Create AWS Config advanced queries that scan S3 object metadata, and set up a managed Config rule that automatically tags objects based on the query results.

  • Turn on Amazon GuardDuty in every account, enable S3 protection, and configure Systems Manager Automation to tag any object that appears in GuardDuty findings.

  • Enable Amazon Macie across the organization, schedule sensitive data discovery jobs, and use an EventBridge rule to invoke an AWS Lambda function that adds the appropriate classification tag to each finding's S3 object.

AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot
AI Bot