A company uses a configuration management tool to enforce desired state on cloud servers. During an audit, it is discovered that some servers have deviated from the baseline configuration. The administrator runs a report and finds that the configuration management agent was not running on those servers. Which of the following is the BEST solution to ensure continuous compliance?
Automated scans and remediation enforce continuous compliance.
Why this answer
Option D is correct because it automates the detection and correction of configuration drift without manual intervention. By implementing a periodic compliance scan (e.g., using AWS Config rules or Azure Policy) coupled with an auto-remediation action (e.g., a Lambda function or runbook), the system can restart the configuration management agent or reapply the desired state automatically, ensuring continuous compliance even if the agent stops temporarily.
Exam trap
The trap here is that candidates focus on fixing the immediate deviation (options A, B, or C) rather than implementing a proactive, automated process to detect and correct future agent failures, which is the core of continuous compliance in cloud operations.
How to eliminate wrong answers
Option A is wrong because reinstalling the agent does not address the root cause of why the agent stopped running; it only provides a temporary fix without ensuring the agent remains active. Option B is wrong because removing and rebuilding servers is an extreme, disruptive approach that does not scale and does not prevent future agent failures. Option C is wrong because manual updates are error-prone, do not scale across multiple servers, and do not provide a mechanism to detect or correct future deviations automatically.