Courseiva
SOA-C02
Full test
easymultiple choiceObjective-mapped

An organization wants to ensure that no Amazon S3 bucket in the entire AWS Organization can be made public. The security team requires a preventive control that cannot be overridden by individual account administrators. Which AWS service or feature should be used?

Question 1easymultiple choice
Full question →

An organization wants to ensure that no Amazon S3 bucket in the entire AWS Organization can be made public. The security team requires a preventive control that cannot be overridden by individual account administrators. Which AWS service or feature should be used?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Best answer

Create a Service Control Policy (SCP) in AWS Organizations that denies permissions to modify S3 bucket public access settings.

SCPs are applied at the organization or OU level and cannot be overridden by account administrators. They can explicitly deny actions that would make buckets public, providing a preventive control across all accounts.

B

Distractor review

Enable AWS Config rules in each account to detect public S3 buckets and automatically remediate them using AWS Lambda.

AWS Config rules are detective and reactive, not preventive. They can remediate after creation but do not prevent an account admin from making a bucket public in the first place.

C

Distractor review

Use an IAM policy attached to all IAM users in each account that denies s3:PutBucketPolicy.

IAM policies only affect users and roles, not the root user or resources created by AWS services. An account administrator with full administrative privileges could override this policy.

D

Distractor review

Apply Amazon S3 Block Public Access at the account level in each individual AWS account.

S3 Block Public Access at the account level is a strong setting, but it can be disabled by an account root user or admin with appropriate permissions. It is not a fully preventive control across an organization as it can be bypassed by account administrators.

Common exam trap

Common exam trap: ACLs stop at the first match

ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.

Technical deep dive

How to think about this question

ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.

KKey Concepts to Remember

  • Standard ACLs match source addresses.
  • Extended ACLs can match source, destination, protocol and ports.
  • The first matching ACL entry is used.
  • There is usually an implicit deny at the end.

TExam Day Tips

  • Check inbound versus outbound direction.
  • Read the ACL from top to bottom.
  • Look for a broader permit or deny above the intended line.

Related practice questions

Related SOA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

SOA-C02 fundamentals practice questions

Practise SOA-C02 questions linked to SOA-C02 fundamentals.

SOA-C02 scenario practice questions

Practise SOA-C02 questions linked to SOA-C02 scenario.

SOA-C02 troubleshooting practice questions

Practise SOA-C02 questions linked to SOA-C02 troubleshooting.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A company uses Amazon CloudFront to deliver content to a global audience. The origin is an Application Load Balancer in us-east-1. The SysOps administrator wants to reduce costs by minimizing the number of requests that reach the origin server. Which action should the administrator take?

Question 2

A company runs a batch processing application on Amazon EC2 that runs for 2 hours every night. The workload can tolerate interruptions. Which EC2 purchasing option provides the lowest cost for this use case?

Question 3

A SysOps administrator needs to monitor the CPU utilization of an Amazon RDS DB instance and receive an alarm when CPU utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to create this alarm?

Question 4

A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application uses session stickiness (sticky sessions) to maintain user sessions. The SysOps administrator notices that when instances are replaced during a scale-in or failure event, users lose their session data. The administrator needs to preserve session data across instance failures without losing stickiness benefits. What should the administrator do?

Question 5

A company runs a production web application on a single Amazon EC2 instance. The application experiences a predictable and steady workload 24/7. The SysOps administrator wants to minimize compute costs for this instance while ensuring it remains available during the expected workload. Which EC2 purchasing option should the administrator use?

Question 6

A company has a VPC with public and private subnets. The private subnets host application servers that need to make outbound HTTPS connections to the internet. The SysOps administrator must implement a solution that provides outbound internet connectivity while preventing inbound connections from the internet. Additionally, the solution must allow the company to control which domains the application servers can access. Which solution should the administrator implement?

FAQ

Questions learners often ask

What does this SOA-C02 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Create a Service Control Policy (SCP) in AWS Organizations that denies permissions to modify S3 bucket public access settings. — AWS Organizations Service Control Policies (SCPs) can be applied to the root or organizational units (OUs) to restrict permissions for all IAM users and roles in the member accounts. An SCP that denies the 's3:PutBucketPublicAccessBlock' or 's3:PutBucketAcl' and 's3:PutBucketPolicy' actions that would allow public access can enforce a blanket ban. AWS Config can detect but not prevent. IAM policies in individual accounts can be overridden by account admins. S3 Block Public Access at the account level can be effective but can be changed by root user in the account, whereas SCP cannot be overridden by account admins. So SCP is the correct preventive control.

What should I do if I get this SOA-C02 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.