A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

Enable default encryption on the AWS account's S3 buckets using an S3 account-level setting in the S3 console, which automatically applies SSE-KMS to all new buckets.

There is no account-level default encryption for all S3 buckets. Default encryption must be configured per bucket. This option is not feasible.

Create an AWS CloudTrail event that triggers an AWS Lambda function when a bucket is created, and the Lambda applies SSE-KMS encryption. Use AWS Config to periodically scan existing buckets and apply encryption.

While this could work, it uses CloudTrail events for bucket creation and a separate periodic Lambda for existing buckets. This is more complex and requires two Lambda functions, whereas AWS Config can handle both detection and remediation in a unified way.

Use AWS Identity and Access Management (IAM) with a Service Control Policy (SCP) that denies any S3 bucket creation without SSE-KMS enabled, and use AWS Config to detect and notify on non-compliance.

SCP can prevent creation of buckets without encryption but does not remediate existing buckets. The requirement includes detecting and remediating both existing and new buckets. This solution only addresses new buckets and does not automatically apply encryption to existing ones.

What does this SOA-C02 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Use AWS Config with a custom rule backed by an AWS Lambda function that checks if 'x-amz-server-side-encryption' is 'aws:kms' and auto-remediates by attaching a bucket policy that denies PUTs without SSE-KMS. — AWS Config provides managed rules such as 's3-bucket-server-side-encryption-enabled' which can check if buckets have encryption enabled, but that rule does not enforce SSE-KMS specifically. A custom rule using AWS Config with a Lambda function can check for SSE-KMS. However, the question asks for minimal custom code. AWS Config also supports automatic remediation via Systems Manager Automation documents. There is a managed remediation action for S3 bucket encryption, but it may not be SSE-KMS specific. A simpler managed approach is to use S3 Bucket Policies to deny PUTs without encryption, but that doesn't retroactively fix existing buckets. AWS Config can be used with a managed rule 's3-bucket-ssl-requests-only' but that's for SSL. the best combination is to use AWS Config with the managed rule 's3-bucket-server-side-encryption-enabled' (which checks for any server-side encryption, not just SSE-KMS) and then use AWS Config remediation with a Systems Manager Automation document to apply SSE-KMS to non-compliant buckets. However, the automation document may need to be created or customized. Alternatively, use AWS Service Catalog to enforce encryption at creation. The least custom code approach is to use AWS Config with a managed rule and then use AWS Lambda for remediation if no managed automation exists. But there is a pre-built AWS Config managed rule 's3-bucket-server-side-encryption-enabled' and an associated remediation action that enables SSE-S3. To enforce SSE-KMS, a custom Lambda is needed. But let's look for an option that uses AWS Config with a managed rule plus SCP? SCP can prevent creation without encryption but does not remediate existing. The best answer likely uses a combination of AWS Config with a custom rule (which requires some code) but the question says minimal custom code. However, among options, one may suggest using AWS Config + Systems Manager Automation with a pre-built document for SSE-KMS? There is no pre-built one for SSE-KMS. So the correct approach is: use AWS Config with a custom rule (Lambda) to detect non-compliance, and a remediation action using another Lambda to apply SSE-KMS. That's minimal but not zero code. Let's craft the answer based on AWS best practices: Use AWS Config with a custom AWS Lambda rule that checks for SSE-KMS, and AWS Config auto-remediation that calls a Lambda function to modify the bucket. This is a common pattern. The correct option should mention that.

What should I do if I get this SOA-C02 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.