AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
Your company recently subscribed to AWS Shield Advanced and protected several internet-facing Application Load Balancers (ALBs). As the CloudOps engineer, you must create a recurring audit that answers two questions for management: (1) Which ALBs in the account are still not protected by Shield Advanced? (2) Have any Shield-detected DDoS events occurred on protected resources during the last 30 days? Which combination of AWS services provides the simplest way to supply this information without writing custom code?
Create an AWS Config rule to evaluate Shield protection and use the AWS/DDoSProtection metrics in Amazon CloudWatch to review recent DDoS incidents.
Deploy AWS Firewall Manager Shield policies and rely on its compliance reports, which automatically include past DDoS activity.
Query AWS CloudTrail logs with Amazon Athena to list protected resources and to detect DDoS-related API calls.
Enable AWS Security Hub; use its Findings dashboard for both Shield coverage gaps and historical DDoS events.
AWS Config offers the managed rule "shield-enabled-resource" that evaluates whether Elastic Load Balancers, CloudFront distributions, and Elastic IP addresses are enrolled in Shield Advanced; its compliance reports list any unprotected ALBs. Shield Advanced automatically publishes DDoS event summaries to CloudWatch metrics and to AWS CloudTrail. Enabling the "AWS Shield Advanced" data source in AWS CloudTrail Lake (or simply querying CloudTrail) surfaces DDoSDetected and DDoSMitigationStarted events, but Config plus CloudTrail alone does not present a consolidated view. Security Hub can aggregate multiple findings, yet it relies on Config rules for Shield coverage and does not surface DDoS events. Firewall Manager policies report coverage, but they require an AWS Organizations management account and do not by themselves expose historical DDoS events. Therefore, combining AWS Config's managed rule with CloudWatch metrics that Shield Advanced automatically emits is the most straightforward, no-code solution: Config answers the coverage question; the AWS/DDoSProtection metrics (such as DDoSDetected) in CloudWatch answer the event-history question.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the AWS Config 'shield-enabled-resource' rule?
Open an interactive chat with Bash
How does AWS Shield Advanced publish DDoS event data to CloudWatch?
Open an interactive chat with Bash
Why aren't AWS Security Hub or Firewall Manager ideal for this scenario?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .