Question 276 of 1,546
Security and CompliancemediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to use AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule and configure automatic remediation to apply SSE-KMS. This combination works because AWS Config continuously evaluates your S3 buckets against the encryption rule, and when it detects a non-compliant bucket, it triggers an AWS Systems Manager Automation document that automatically applies the required SSE-KMS encryption without manual intervention. On the AWS Certified SysOps Administrator Associate SOA-C02 exam, this scenario tests your understanding of how to enforce security policies at scale using AWS Config’s remediation actions, not just detection. A common trap is choosing S3 bucket policies or IAM roles, which can enforce encryption for new uploads but cannot retroactively fix existing unencrypted buckets. Remember the key distinction: AWS Config detects and remediates, while bucket policies only prevent future violations. Memory tip: Think "Config + SSM = automatic fix" for any compliance enforcement question.

SOA-C02 Security and Compliance Practice Question

This SOA-C02 practice question tests your understanding of security and compliance. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company's security policy requires that all new Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled by default. A SysOps administrator wants to enforce this requirement for all current and future S3 buckets in the account. Which AWS service or feature should be used to automatically apply this configuration?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule and configure automatic remediation to apply SSE-KMS when a non-compliant bucket is detected.

Option D is correct because AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule can evaluate S3 buckets for compliance with server-side encryption requirements. When a non-compliant bucket is detected, automatic remediation can be configured to apply SSE-KMS using an AWS Systems Manager Automation document, ensuring all current and future buckets meet the security policy without manual intervention.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable S3 default encryption at the account level in the S3 console.

    Why it's wrong here

    S3 does not have an account-level default encryption setting. Default encryption must be enabled on each bucket individually.

  • Create an AWS CloudTrail trail that captures S3 API calls and triggers a Lambda function to enable encryption on any bucket that is created without it.

    Why it's wrong here

    This is possible but requires custom code and is not a managed solution. It also does not fix existing buckets automatically.

  • Use an AWS Organizations Service Control Policy (SCP) to deny the s3:PutBucketPublicAccessBlock action, forcing users to enable encryption.

    Why it's wrong here

    SCPs are used to control permissions, not to directly configure encryption. Also, this does not automatically enable encryption on existing buckets.

  • Use AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule and configure automatic remediation to apply SSE-KMS when a non-compliant bucket is detected.

    Why this is correct

    AWS Config can evaluate all buckets (current and future) against the rule. Automatic remediation can invoke an SSM Automation document or a Lambda function to enable SSE-KMS on the bucket, meeting the requirement with a managed service.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse S3 default encryption (which is bucket-level only) with account-level enforcement, or they mistakenly think SCPs can directly enable encryption rather than just deny actions, leading them to pick options that are reactive or misaligned with the requirement.

Detailed technical explanation

How to think about this question

AWS Config's managed rule 's3-bucket-server-side-encryption-enabled' evaluates buckets against a parameter that specifies the expected encryption type (e.g., 'aws:kms' for SSE-KMS). Automatic remediation uses an SSM Automation document (e.g., 'AWS-EnableS3BucketEncryption') to apply the encryption configuration, which modifies the bucket's default encryption settings via the PutBucketEncryption API. This approach ensures continuous compliance, as AWS Config re-evaluates resources periodically and on configuration changes, catching both new and existing buckets.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SOA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SOA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SOA-C02 question test?

Security and Compliance — This question tests Security and Compliance — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Use AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule and configure automatic remediation to apply SSE-KMS when a non-compliant bucket is detected. — Option D is correct because AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule can evaluate S3 buckets for compliance with server-side encryption requirements. When a non-compliant bucket is detected, automatic remediation can be configured to apply SSE-KMS using an AWS Systems Manager Automation document, ensuring all current and future buckets meet the security policy without manual intervention.

What should I do if I get this SOA-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

4 more ways this is tested on SOA-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

medium
  • A.AWS Config and AWS Lambda
  • B.Amazon GuardDuty and AWS Lambda
  • C.AWS CloudTrail and Amazon EventBridge
  • D.Amazon Macie and AWS Step Functions

Why A: AWS Config can evaluate S3 bucket configurations against a managed rule (s3-bucket-server-side-encryption-enabled) to detect non-compliant buckets. When a non-compliant bucket is detected, AWS Config can trigger an AWS Lambda function via an Amazon EventBridge rule or a custom remediation action to automatically enable SSE-S3 encryption on the bucket. This combination uses managed services and minimizes custom code, meeting the security policy requirement.

Variation 2. A company's security policy requires that all Amazon S3 buckets must be encrypted at rest with AWS Key Management Service (AWS KMS) customer managed keys. A SysOps administrator discovers that some buckets are not encrypted. Which combination of AWS services should be used to automatically detect and remediate non-compliant buckets using infrastructure as code?

hard
  • A.AWS Config with a managed rule and AWS Lambda for automatic remediation.
  • B.AWS CloudTrail and Amazon GuardDuty.
  • C.Amazon Inspector and AWS Systems Manager.
  • D.Amazon Macie and AWS CloudFormation.

Why A: AWS Config with a managed rule (e.g., s3-bucket-server-side-encryption-enabled) can continuously evaluate S3 buckets for compliance with the encryption policy. When a non-compliant bucket is detected, AWS Config can automatically invoke an AWS Lambda function to remediate the issue, such as enabling encryption with a customer managed KMS key. This combination provides automated detection and remediation using infrastructure as code, as the Config rule and Lambda function can be defined in AWS CloudFormation or similar IaC tools.

Variation 3. A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

medium
  • A.Use AWS Config with a custom rule backed by an AWS Lambda function that checks if 'x-amz-server-side-encryption' is 'aws:kms' and auto-remediates by attaching a bucket policy that denies PUTs without SSE-KMS.
  • B.Enable default encryption on the AWS account's S3 buckets using an S3 account-level setting in the S3 console, which automatically applies SSE-KMS to all new buckets.
  • C.Create an AWS CloudTrail event that triggers an AWS Lambda function when a bucket is created, and the Lambda applies SSE-KMS encryption. Use AWS Config to periodically scan existing buckets and apply encryption.
  • D.Use AWS Identity and Access Management (IAM) with a Service Control Policy (SCP) that denies any S3 bucket creation without SSE-KMS enabled, and use AWS Config to detect and notify on non-compliance.

Why A: Option A is correct because it uses AWS Config with a custom Lambda-backed rule to detect non-compliant S3 buckets (those missing SSE-KMS) and auto-remediate by attaching a bucket policy that denies PUT requests without the 'x-amz-server-side-encryption: aws:kms' header. This satisfies the requirement for minimal custom code (only the Lambda function) and uses managed AWS services (AWS Config, Lambda, S3) to automatically detect and fix both existing and new buckets.

Variation 4. A company's security policy requires that all Amazon S3 buckets must have server-side encryption (SSE-S3 or SSE-KMS) enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and remediate it by enabling SSE-S3. Which AWS service should be used to implement this automated compliance enforcement?

medium
  • A.AWS Config
  • B.Amazon Inspector
  • C.AWS Trusted Advisor
  • D.Amazon Macie

Why A: AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled) that can continuously evaluate S3 bucket configurations against the security policy. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action via Systems Manager Automation to enable SSE-S3, enforcing compliance without manual intervention.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SOA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SOA-C02 exam.