Amazon SOA-C03 - Amazon AWS Certified CloudOps Engineer - Associate Certification Exam
Question #1 (Topic: demo questions)
A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet specific security requirements. The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators. The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts. Which solution will meet these requirements?
Correct Answer: C
Explanation:
AWS CloudOps governance best practices emphasize centralized account management and preventive guardrails. AWS Control Tower integrates directly with AWS Organizations and provides “Region deny controls” and “Service Control Policies (SCPs)” that apply automatically to all existing and newly created member accounts. SCPs are organization-wide guardrails that define the maximum permissions for accounts. They can explicitly deny actions such as launching EC2 instances in a specific Region, or block root user access. To prevent CloudTrail log deletion, SCPs can also include denies on cloudtrail:DeleteTrail and s3:DeleteObject actionstargeting the CloudTrail log S3 bucket. These SCPs ensure that no user, including administrators, can violate the compliance requirements. AWS documentation under the Security and Compliance domain for CloudOps states: “Use AWS Control Tower to establish a secure, compliant, multi-account environment with preventive guardrailsthrough service control policies and detective controlsthrough AWS Config.” This approach meets all stated needs: centralized enforcement, automatic propagation to new accounts, region-based restrictions, and immutable audit logs. Options A, B, and D either detect violations reactively or lack complete enforcement and automation across future accounts. Reference:• AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide – Domain 4: Security and Compliance• AWS Control Tower – Preventive and Detective Guardrails• AWS Organizations – Service Control Policies (SCPs)• AWS Well-Architected Framework – Security Pillar (Governance and Centralized Controls)
Question #2 (Topic: demo questions)
A company runs an application that logs user data to an Amazon CloudWatch Logs log group. The company discovers that personal information the application has logged is visible in plain text in the CloudWatch logs. The company needs a solution to redact personal information in the logs by default. Unredacted information must be available only to the company's security team. Which solution will meet these requirements?
Correct Answer: C
Explanation: